Disable Apache Qpid (qpidd)
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
The qpidd
service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd
service can be disabled with the following command:
$ sudo systemctl disable qpidd.service
Rationale
The qpidd service is automatically installed when the “base”
package selection is selected during installation. The qpidd service listens
for network connections, which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic, then the qpidd
service is not needed and should be disabled or removed.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'qpidd.service'
"$SYSTEMCTL_EXEC" disable 'qpidd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL_EXEC" list-unit-files | grep -q '^qpidd.socket\>' && "$SYSTEMCTL_EXEC" disable 'qpidd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service'
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Disable service qpidd
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: service_result
failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
with_items:
- qpidd
tags:
- service_qpidd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(8)
- NIST-800-53-CM-7
- name: Disable socket of service qpidd if applicable
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: socket_result
failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
with_items:
- qpidd.socket
tags:
- service_qpidd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(8)
- NIST-800-53-CM-7