metadata/service/system/cis/cis-2-3-2.yml

# 2.3.2 Ensure rsh client is not installed
#
# Description
# ===========
# The rsh package contains the client commands for the rsh services.
#
# Rationale
# =========
# These legacy clients contain numerous security exposures and have been
# replaced with the more secure SSH package. Even if the server is removed,
# it is best to ensure the clients are also removed to prevent users from
# inadvertently attempting to use these commands and therefore exposing
# their credentials. Note that removing the rsh package removes the
# clients for rsh , rcp and rlogin .
#
# Audit
# =====
# Run the following commands and verify rsh is not installed:
#
#   dpkg -s rsh-client
#   dpkg -s rsh-redone-client
#
# Remediation
# ===========
# Run the following command to uninstall rsh :
#
#   apt-get remove rsh-client rsh-redone-client
#
# Impact
# ======
# Many insecure service clients are used as troubleshooting tools and in
# testing environments. Uninstalling them can inhibit capability to test
# and troubleshoot. If they are required it is advisable to remove the
# clients after use to prevent accidental or intentional misuse.
#
# NOTE
# ====
# It is not possible to remove rsh-client by means of SaltStack because
# of the way SaltStack checks that package was really removed. 'rsh-client'
# is "provided" by openssh-client package, and SaltStack thinks that
# it is the same as 'rsh-client is installed'. So each time we try to
# remove 'rsh-client' on a system where 'openssh-client' is installed
# (that's almost every system), we got state failure.
# This was fixed in upstream SaltStack in 2018, not sure where we start using
# this version. Until that moment 'rsh-client' should remain unmanaged.
#
parameters:
  linux:
    system:
      package:
#        rsh-client:
#          version: removed
        rsh-redone-client:
          version: removed