Free DISA STIG and SRG Library | Vaulted

V-14669

The network element must have all BSDr commands disabled.

Finding ID
NET0744
Rule ID
SV-15315r2_rule
Severity
Cat II
CCE
(None)
Group Title
BSDr commands are not disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Berkeley Software Distribution (BSD) “r” commands allow users to execute commands on remote systems using a variety of protocols. The BSD "r" commands (e.g., rsh, rlogin, rcp, rdump, rrestore, and rdist) are designed to provide convenient remote access without passwords to services such as remote command execution (rsh), remote login (rlogin), and remote file copy (rcp and rdist). The difficulty with these commands is that they use address-based authentication. An attacker who convinces a server that he is coming from a "trusted" machine can essentially get complete and unrestricted access to a system. The attacker can convince the server by impersonating a trusted machine and using IP address, by confusing DNS so that DNS thinks that the attacker's IP address maps to a trusted machine's name, or by any of a number of other methods

Fix Text

Configure the device to disable BSDr command services.

Check Content

Under the edit system services hierarchy, enter a show command to verify that the rlogin command is not present.

Responsibility

Information Assurance Officer