iCompaas Support

Profile Applicability:
 • Level 1

Description:
 The dnsmasq service provides DNS, DHCP, and TFTP services. If not required, disabling dnsmasq reduces unnecessary network services, minimizing the system’s attack surface and potential vulnerabilities.

Rationale:
 Disabling unused dnsmasq services prevents unauthorized network service provision and limits exposure to network-based attacks.

Impact:
 Pros:

• Reduces risk by limiting unnecessary network daemons.
  

• Helps maintain a minimal and secure service footprint.
  

Cons:

• Disabling dnsmasq may disrupt legitimate services relying on it.
  

Default Value:
 dnsmasq may be enabled by default on some systems.

Pre-requisites:

• Root or sudo privileges to manage system services.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check if dnsmasq service is enabled:

systemctl is-enabled dnsmasq

2. Check if dnsmasq service is running:

systemctl status dnsmasq

Implementation Plan:

Using Linux command line:

1. Disable the dnsmasq service:

systemctl disable dnsmasq

2. Stop the running dnsmasq service:

systemctl stop dnsmasq

3. Verify service is disabled and stopped:

systemctl is-enabled dnsmasq  
systemctl status dnsmasq

Backout Plan:

Using Linux command line:

1. Enable and start the dnsmasq service if required:

systemctl enable dnsmasq  
systemctl start dnsmasq

2. Verify service status.

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• Systemd Service Management