commit 4326d345c7b76f06386865d604c33899faaf4260
author Dmitry Teselkin <dteselkin@mirantis.com> Thu Apr 26 17:21:22 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Thu Sep 06 05:50:31 2018 +0000
tree 54827d2d13a552afca40dd7386071d8ac40693a1
parent 5f2c6ce2189edf9080d8d0a28c60e3da1110a5bf

CIS compliance (packages)

* CIS 1.5.4 Ensure prelink is disabled
* CIS 2.3.1 Ensure NIS Client is not installed
* CIS 2.3.2 Ensure rsh client is not installed
* CIS 2.3.3 Ensure talk client is not installed
* CIS 2.3.4 Ensure telnet client is not installed

Change-Id: I0eb11d39deaa28f238a2e618bf95cc248189197c

metadata/service/system/cis/cis-2-3-2.yml

diff --git a/metadata/service/system/cis/cis-2-3-2.yml b/metadata/service/system/cis/cis-2-3-2.yml
new file mode 100644
index 0000000..ecbfa6a
--- /dev/null
+++ b/metadata/service/system/cis/cis-2-3-2.yml
@@ -0,0 +1,55 @@
+# 2.3.2 Ensure rsh client is not installed
+#
+# Description
+# ===========
+# The rsh package contains the client commands for the rsh services.
+#
+# Rationale
+# =========
+# These legacy clients contain numerous security exposures and have been
+# replaced with the more secure SSH package. Even if the server is removed,
+# it is best to ensure the clients are also removed to prevent users from
+# inadvertently attempting to use these commands and therefore exposing
+# their credentials. Note that removing the rsh package removes the
+# clients for rsh , rcp and rlogin .
+#
+# Audit
+# =====
+# Run the following commands and verify rsh is not installed:
+#
+#   dpkg -s rsh-client
+#   dpkg -s rsh-redone-client
+#
+# Remediation
+# ===========
+# Run the following command to uninstall rsh :
+#
+#   apt-get remove rsh-client rsh-redone-client
+#
+# Impact
+# ======
+# Many insecure service clients are used as troubleshooting tools and in
+# testing environments. Uninstalling them can inhibit capability to test
+# and troubleshoot. If they are required it is advisable to remove the
+# clients after use to prevent accidental or intentional misuse.
+#
+# NOTE
+# ====
+# It is not possible to remove rsh-client by means of SaltStack because
+# of the way SaltStack checks that package was really removed. 'rsh-client'
+# is "provided" by openssh-client package, and SaltStack thinks that
+# it is the same as 'rsh-client is installed'. So each time we try to
+# remove 'rsh-client' on a system where 'openssh-client' is installed
+# (that's almost every system), we got state failure.
+# This was fixed in upstream SaltStack in 2018, not sure where we start using
+# this version. Until that moment 'rsh-client' should remain unmanaged.
+#
+parameters:
+  linux:
+    system:
+      package:
+#        rsh-client:
+#          version: removed
+        rsh-redone-client:
+          version: removed
+