Disable Apache Qpid (qpidd)

Docs > Datadog Security > OOTB Rules > Disable Apache Qpid (qpidd)

Description

The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts.

The qpidd service can be disabled with the following command:

$ sudo systemctl disable qpidd.service

Rationale

The qpidd service is automatically installed when the “base” package selection is selected during installation. The qpidd service listens for network connections, which increases the attack surface of the system. If the system is not intended to receive AMQP traffic, then the qpidd service is not needed and should be disabled or removed.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'qpidd.service'
"$SYSTEMCTL_EXEC" disable 'qpidd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL_EXEC" list-unit-files | grep -q '^qpidd.socket\>' && "$SYSTEMCTL_EXEC" disable 'qpidd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service'

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable service qpidd
  service:
    name: "{{item}}"
    enabled: "no"
    state: "stopped"
  register: service_result
  failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
  with_items:
    - qpidd
  tags:
    - service_qpidd_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - NIST-800-53-AC-17(8)
    - NIST-800-53-CM-7


- name: Disable socket of service qpidd if applicable
  service:
    name: "{{item}}"
    enabled: "no"
    state: "stopped"
  register: socket_result
  failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
  with_items:
    - qpidd.socket
  tags:
    - service_qpidd_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - NIST-800-53-AC-17(8)
    - NIST-800-53-CM-7