Disable the CUPS Service

Docs > Datadog Security > OOTB Rules > Disable the CUPS Service

Classification:

compliance

Framework:

Control:

Description

The cups service can be disabled with the following command:

$ sudo systemctl mask --now cups.service

Rationale

Turn off unneeded services to reduce attack surface.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'cups.service'
"$SYSTEMCTL\_EXEC" disable 'cups.service'
"$SYSTEMCTL\_EXEC" mask 'cups.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL\_EXEC" -q list-unit-files cups.socket; then
 "$SYSTEMCTL\_EXEC" stop 'cups.socket'
 "$SYSTEMCTL\_EXEC" mask 'cups.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'cups.service' || true

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Block Disable service cups
 block:

 - name: Disable service cups
 block:

 - name: Disable service cups
 systemd:
 name: cups.service
 enabled: 'no'
 state: stopped
 masked: 'yes'
 rescue:

 - name: Intentionally ignored previous 'Disable service cups' failure, service
 was already disabled
 meta: noop
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - PCI-DSSv4-2.2.4
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - service\_cups\_disabled
 - unknown\_severity

- name: Unit Socket Exists - cups.socket
 command: systemctl list-unit-files cups.socket
 register: socket\_file\_exists
 changed\_when: false
 failed\_when: socket\_file\_exists.rc not in [0, 1]
 check\_mode: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - PCI-DSSv4-2.2.4
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - service\_cups\_disabled
 - unknown\_severity

- name: Disable socket cups
 systemd:
 name: cups.socket
 enabled: 'no'
 state: stopped
 masked: 'yes'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - '"cups.socket" in socket\_file\_exists.stdout\_lines[1]'
 tags:
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - PCI-DSSv4-2.2.4
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - service\_cups\_disabled
 - unknown\_severity