Disable Apache Qpid (qpidd)

Docs > Datadog Security > OOTB Rules > Disable Apache Qpid (qpidd)

Classification:

compliance

Framework:

Control:

Description

The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts.

The qpidd service can be disabled with the following command:

$ sudo systemctl disable qpidd.service

Rationale

The qpidd service is automatically installed when the “base” package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd service is not needed and should be disabled or removed.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'qpidd.service'
"$SYSTEMCTL\_EXEC" disable 'qpidd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL\_EXEC" list-unit-files | grep -q '^qpidd.socket\>' && "$SYSTEMCTL\_EXEC" disable 'qpidd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'qpidd.service'

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable service qpidd
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: service\_result
 failed\_when: "service\_result is failed and ('Could not find the requested service' not in service\_result.msg)"
 with\_items:
 - qpidd
 tags:
 - service\_qpidd\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-AC-17(8)
 - NIST-800-53-CM-7


- name: Disable socket of service qpidd if applicable
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: socket\_result
 failed\_when: "socket\_result is failed and ('Could not find the requested service' not in socket\_result.msg)"
 with\_items:
 - qpidd.socket
 tags:
 - service\_qpidd\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-AC-17(8)
 - NIST-800-53-CM-7