2.1.22 Ensure only approved services are listening on a network interface

Information

A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP.

A listening port is a network port on which an application or process listens on, acting as a communication endpoint.

Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations.

Services listening on the system pose a potential risk as an attack vector. These services should be reviewed, and if not required, the service should be stopped, and the package containing the service should be removed. If required packages have a dependency, the service should be stopped and masked to reduce the attack surface of the system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the following commands to stop the service and remove the package containing the service:

# systemctl stop <service_name>.socket <service_name>.service
# apt purge <package_name>

- OR - If required packages have a dependency:

Run the following commands to stop and mask the service and socket:

# systemctl stop <service_name>.socket <service_name>.service
# systemctl mask <service_name>.socket <service_name>.service

Note: replace <service_name> with the appropriate service name.

Impact:

There may be packages that are dependent on the service's package. If the service's package is removed, these dependent packages will be removed as well. Before removing the service's package, review any dependent packages to determine if they are required on the system.

- IF - a dependent package is required: stop and mask the <service_name>.socket and <service_name>.service leaving the service's package installed.

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 5e771dd2bb4299429123e6eb72a3f18116adcf79b6acd6b0a2e72fbfe27dab97