documentation_complete: true
title: 'Disable rexec Service'
description: |-
The rexec service, which is available with the rsh-server package
and runs as a service through xinetd or separately as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rexec.
{{{ describe_socket_disable(socket="rexec") }}}
rationale: |-
The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
severity: high
identifiers:
cce@rhel8: CCE-80884-0
cce@rhel9: CCE-88104-5
cce@rhel10: CCE-90241-1
cce@sle15: CCE-91420-0
references:
cis-csc: 11,12,14,15,3,8,9
cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06
cui: 3.1.13,3.4.7
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
nist: CM-7(a),CM-7(b),CM-6(a),IA-5(1)(c)
nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4
{{{ complete_ocil_entry_socket_and_service_disabled("rexec") }}}
platform: system_with_kernel
{{% if product == "sle15" %}}
template:
name: xinetd_service_disabled
vars:
servicename: rexec
packagename: rsh-server
{{% else %}}
template:
name: service_disabled
vars:
servicename: rexec
packagename: rsh-server
{{% endif %}}