Disable Apache Qpid (qpidd)
Description
The qpidd
service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd
service can be disabled with the following command:
$ sudo systemctl disable qpidd.service
Rationale
The qpidd service is automatically installed when the “base”
package selection is selected during installation. The qpidd service listens
for network connections, which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic, then the qpidd
service is not needed and should be disabled or removed.
Shell script
The following script can be run on the host to remediate the issue.
SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'qpidd.service'
"$SYSTEMCTL\_EXEC" disable 'qpidd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL\_EXEC" list-unit-files | grep -q '^qpidd.socket\>' && "$SYSTEMCTL\_EXEC" disable 'qpidd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'qpidd.service'
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Disable service qpidd
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: service\_result
failed\_when: "service\_result is failed and ('Could not find the requested service' not in service\_result.msg)"
with\_items:
- qpidd
tags:
- service\_qpidd\_disabled
- unknown\_severity
- disable\_strategy
- low\_complexity
- low\_disruption
- NIST-800-53-AC-17(8)
- NIST-800-53-CM-7
- name: Disable socket of service qpidd if applicable
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: socket\_result
failed\_when: "socket\_result is failed and ('Could not find the requested service' not in socket\_result.msg)"
with\_items:
- qpidd.socket
tags:
- service\_qpidd\_disabled
- unknown\_severity
- disable\_strategy
- low\_complexity
- low\_disruption
- NIST-800-53-AC-17(8)
- NIST-800-53-CM-7