{"description": "The Red Hat Subscription Manager (rhsmcertd) periodically checks for\nchanges in the entitlement certificates for a registered system and updates it\naccordingly.\n\nThe <code>rhsmcertd</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now rhsmcertd.service</pre>", "rationale": "The <tt>rhsmcertd</tt> service can provide administrators with some\nadditional control over which of their systems are entitled to particular\nsubscriptions. However, for systems that are managed locally or which are not\nexpected to require remote changes to their subscription status, it is\nunnecessary and can be disabled.", "severity": "low", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"rhsmcertd\" is loaded and not masked", "ocil": "To check that the <code>rhsmcertd</code> service is disabled in system boot configuration,\nrun the following command:\n<pre>$ sudo systemctl is-enabled <code>rhsmcertd</code></pre>\nOutput should indicate the <code>rhsmcertd</code> service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>rhsmcertd</code><br/> disabled</pre>\n\nRun the following command to verify <code>rhsmcertd</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active rhsmcertd</pre>\n\nIf the service is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe service will also be masked, to check that the <code>rhsmcertd</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>rhsmcertd</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the service is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_rhsmcertd_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_rhsmcertd_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Red Hat Subscription Manager Daemon (rhsmcertd)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "rhsmcertd", "packagename": "subscription-manager"}, "backends": {}}}