From b6da231ea5528dda22d29604a5731620faeaeeea Mon Sep 17 00:00:00 2001
From: Giacomo Marciani <mgiacomo@amazon.com>
Date: Tue, 16 Apr 2024 19:35:26 +0200
Subject: [PATCH] [Security] Disable unused background services: wpa_supplicant
 and cups.

Signed-off-by: Giacomo Marciani <mgiacomo@amazon.com>
---
 CHANGELOG.md                                  |  1 +
 .../recipes/install/disable_services.rb       | 10 ++++
 .../unit/recipes/disable_services_spec.rb     | 12 +++++
 .../test/controls/disable_services_spec.rb    | 52 +++++++++++--------
 4 files changed, 53 insertions(+), 22 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9525258ef..3c25c3f96 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 ------
 
 **ENHANCEMENTS**
+- Disable unused background services wpa_supplicant and cups to improve security.
 
 **CHANGES**
 
diff --git a/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb b/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
index 2fb63dd0a..667add381 100644
--- a/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
+++ b/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
@@ -27,3 +27,13 @@
 service 'log4j-cve-2021-44228-hotpatch' do
   action %i(disable stop mask)
 end unless on_docker?
+
+# Necessary on Ubuntu and Amazon Linux 2
+service 'cups' do
+  action %i(disable stop mask)
+end unless on_docker?
+
+# Necessary on Ubuntu 22
+service 'wpa_supplicant' do
+  action %i(disable stop mask)
+end unless on_docker?
diff --git a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
index 96d0043d7..15234454f 100644
--- a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
+++ b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
@@ -18,6 +18,18 @@
         is_expected.to stop_service('log4j-cve-2021-44228-hotpatch')
         is_expected.to mask_service('log4j-cve-2021-44228-hotpatch')
       end
+
+      it 'disables cups' do
+        is_expected.to disable_service('cups')
+        is_expected.to stop_service('cups')
+        is_expected.to mask_service('cups')
+      end
+
+      it 'disables wpa_supplicant' do
+        is_expected.to disable_service('wpa_supplicant')
+        is_expected.to stop_service('wpa_supplicant')
+        is_expected.to mask_service('wpa_supplicant')
+      end
     end
   end
 end
diff --git a/cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb b/cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb
index a7bc70eb0..967bdfd30 100644
--- a/cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb
+++ b/cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb
@@ -10,38 +10,46 @@
 # See the License for the specific language governing permissions and limitations under the License.
 
 control 'tag:testami_tag:config_services_disabled_on_debian_family' do
-  title 'Test that DLAMI multi eni helper is disabled and masked on debian family'
+  services = %w(aws-ubuntu-eni-helper wpa_supplicant)
+
+  title "Test that #{services.join(',')} are disabled and masked on debian family"
 
   only_if { os_properties.debian_family? && !os_properties.on_docker? }
 
-  describe service('aws-ubuntu-eni-helper') do
-    it { should_not be_enabled }
-    it { should_not be_running }
-  end
+  services.each do |service_name|
+    describe service(service_name) do
+      it { should_not be_enabled }
+      it { should_not be_running }
+    end
 
-  describe bash('systemctl list-unit-files --state=masked --no-legend') do
-    its(:exit_status) { should eq 0 }
-    its(:stdout) { should match /aws-ubuntu-eni-helper.service\s*masked/ }
+    describe bash('systemctl list-unit-files --state=masked --no-legend') do
+      its(:exit_status) { should eq 0 }
+      its(:stdout) { should match /#{service_name}.service\s*masked/ }
+    end
   end
 end
 
 control 'tag:testami_tag:config_services_disabled_on_amazon_family' do
-  title 'Test that log4j-cve-2021-44228-hotpatch is disabled and masked on amazon family'
+  services = %w(log4j-cve-2021-44228-hotpatch cups)
 
-  only_if { os_properties.amazon_family? && !os_properties.on_docker? }
+  title "Test that #{services.join(',')} are disabled and masked on amazon family"
 
-  describe service('log4j-cve-2021-44228-hotpatch') do
-    it { should_not be_enabled }
-    it { should_not be_running }
-  end
-
-  describe bash('systemctl list-unit-files --state=masked --no-legend') do
-    its(:exit_status) { should eq 0 }
-    its(:stdout) { should match /log4j-cve-2021-44228-hotpatch.service\s*masked/ }
-  end
+  only_if { os_properties.amazon_family? && !os_properties.on_docker? }
 
-  describe bash('systemctl show -p LoadState log4j-cve-2021-44228-hotpatch') do
-    its(:exit_status) { should eq 0 }
-    its(:stdout) { should match /LoadState=masked/ }
+  services.each do |service_name|
+    describe service(service_name) do
+      it { should_not be_enabled }
+      it { should_not be_running }
+    end
+
+    describe bash('systemctl list-unit-files --state=masked --no-legend') do
+      its(:exit_status) { should eq 0 }
+      its(:stdout) { should match /#{service_name}.service\s*masked/ }
+    end
+
+    describe bash("systemctl show -p LoadState #{service_name}") do
+      its(:exit_status) { should eq 0 }
+      its(:stdout) { should match /LoadState=masked/ }
+    end
   end
 end