Disable unused plugins and services in 389DS.
389-CM-002 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-CM-002 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | CM-7 |
| DISA SRG | SRG-APP-000141, SRG-APP-000383 |
Rationale¶
Every enabled plugin in 389 Directory Server adds active code paths, potential network endpoints, and in some cases stored credentials or internal accounts that can be targeted by an attacker. A vulnerability in a single unnecessary plugin - whether in the DNA, Linked Attributes, or Managed Entries plugin - can expose the entire directory service even when all other controls are correctly applied. Following the principle of least functionality (NIST SP 800-53 CM-7), any plugin that is not demonstrably required by the deployment should be disabled, reducing both the exploitable attack surface and the scope of future security assessments. A minimal plugin footprint also reduces the likelihood that a third-party or legacy plugin vulnerability affects an otherwise hardened server, and simplifies compliance evidence by limiting what must be justified as necessary functionality. This control is assessed by DISA SRG-APP-000141 and SRG-APP-000383.
Check¶
List all enabled plugins and compare against the set of plugins required for your deployment.
dsconf <instance> plugin list
Remediation¶
Disable each plugin that is not required for the deployment, then restart the server.
dsconf <instance> plugin set "<plugin-name>" --enabled off
dsctl <instance> restart
References¶
Implementation Notes¶
Before disabling any plugin, confirm that no application, replication topology
component, or internal feature depends on it - some plugins (such as Password
Policy and ACL) are core to correct operation and must remain enabled. The generic
disable syntax is dsconf <instance> plugin set "<plugin-name>" --enabled off;
however, several plugins also expose their own enable/disable subcommands
(e.g., dsconf <instance> plugin memberof disable). Verify which form applies
with dsconf <instance> plugin <plugin-name> --help before scripting. Plugin
state changes require a server restart to take effect; schedule maintenance
accordingly and verify service health after restarting.