Disable Odd Job Daemon (oddjobd)

Description

The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus.

The oddjobd service can be disabled with the following command:

$ sudo systemctl disable oddjobd.service

Rationale

The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'oddjobd.service'
"$SYSTEMCTL_EXEC" disable 'oddjobd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL_EXEC" list-unit-files | grep -q '^oddjobd.socket\>' && "$SYSTEMCTL_EXEC" disable 'oddjobd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service'

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable service oddjobd
  service:
    name: "{{item}}"
    enabled: "no"
    state: "stopped"
  register: service_result
  failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
  with_items:
    - oddjobd
  tags:
    - service_oddjobd_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - NIST-800-53-CM-7


- name: Disable socket of service oddjobd if applicable
  service:
    name: "{{item}}"
    enabled: "no"
    state: "stopped"
  register: socket_result
  failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
  with_items:
    - oddjobd.socket
  tags:
    - service_oddjobd_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - NIST-800-53-CM-7
PREVIEWING: may/unit-testing