{"description": "Make sure that the activation of the <tt>telnet</tt> service on system boot is disabled.\n\nThe <code>telnet</code> socket can be disabled with the following command:\n<pre>$ sudo systemctl mask --now telnet.socket</pre>", "rationale": "The telnet protocol uses unencrypted network communication, which means that data from the\nlogin session, including passwords and all other information transmitted during the session,\ncan be stolen by eavesdroppers on the network. The telnet protocol is also subject to\nman-in-the-middle attacks.", "severity": "high", "references": {"cis-csc": ["1", "11", "12", "14", "15", "16", "3", "5", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.06", "DSS06.10"], "cui": ["3.1.13", "3.4.7"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.18.1.4", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "IA-5(1)(c)"], "nist-csf": ["PR.AC-1", "PR.AC-3", "PR.AC-6", "PR.AC-7", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "ism": ["1409"]}, "control_references": {"ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "service and/or socket are running", "ocil": "\nTo check that the <code>telnet</code> service is disabled in system boot configuration with xinetd, run the following command:\n<pre>$ chkconfig <code>telnet</code> --list</pre>\nOutput should indicate the <code>telnet</code> service has either not been installed, or has been disabled, as shown in the example below:\n<pre>$ chkconfig <code>telnet</code> --list\n\nNote: This output shows SysV services only and does not include native\nsystemd services. SysV configuration data might be overridden by native\nsystemd configuration.\n\nIf you want to list systemd services use 'systemctl list-unit-files'.\nTo see services enabled on particular target use\n'systemctl list-dependencies [target]'.\n\n<code>telnet</code>       off</pre>\n\nTo check that the <code>telnet</code> socket is disabled in system boot configuration with systemd, run the following command:\n<pre>$ systemctl is-enabled <code>telnet</code></pre>\nOutput should indicate the <code>telnet</code> socket has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>telnet</code><br/>disabled</pre>\n\nRun the following command to verify <code>telnet</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active telnet</pre>\n\nIf the socket is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe socket will also be masked, to check that the <code>telnet</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>telnet</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the socket is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "If the system relies on <tt>xinetd</tt> to manage telnet sessions, ensure the telnet service\nis disabled by the following line: <tt>disable = yes</tt>. Note that the xinetd file for\ntelnet is not created automatically, therefore it might have different names."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel and package[telnet-server]", "platforms": ["system_with_kernel and package[telnet-server]"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_telnet_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_telnet_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["package_telnet-server_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable telnet Service", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "telnet", "packagename": "telnet-server"}, "backends": {}}}