{"description": "The <tt>saslauthd</tt> service handles plaintext authentication requests on\nbehalf of the SASL library. The service isolates all code requiring superuser\nprivileges for SASL authentication into a single process, and can also be used\nto provide proxy authentication services to clients that do not understand SASL\nbased authentication.\n\nThe <code>saslauthd</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now saslauthd.service</pre>", "rationale": "The <tt>saslauthd</tt> service provides essential functionality for\nperforming authentication in some directory environments, such as those which\nuse Kerberos and LDAP. For others, however, in which only local files may be\nconsulted, it is not necessary and should be disabled.", "severity": "low", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"saslauthd\" is loaded and not masked", "ocil": "To check that the <code>saslauthd</code> service is disabled in system boot configuration,\nrun the following command:\n<pre>$ sudo systemctl is-enabled <code>saslauthd</code></pre>\nOutput should indicate the <code>saslauthd</code> service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>saslauthd</code><br/> disabled</pre>\n\nRun the following command to verify <code>saslauthd</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active saslauthd</pre>\n\nIf the service is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe service will also be masked, to check that the <code>saslauthd</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>saslauthd</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the service is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_saslauthd_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_saslauthd_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Cyrus SASL Authentication Daemon (saslauthd)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "saslauthd", "packagename": "cyrus-sasl"}, "backends": {}}}