Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Disable unused background services: wpa_supplicant and cups. #2656

Closed
wants to merge 1 commit into from
Closed

[Security] Disable unused background services: wpa_supplicant and cups. #2656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
------

**ENHANCEMENTS**
- Disable unused background services wpa_supplicant and cups to improve security.

**CHANGES**

Expand Down
10 changes: 10 additions & 0 deletions cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,13 @@
service 'log4j-cve-2021-44228-hotpatch' do
action %i(disable stop mask)
end unless on_docker?

# Necessary on Ubuntu and Amazon Linux 2
service 'cups' do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This recipe is not following the general code structure.

It's not strictly related to your change, but when there is code "os specific" we should create a Chef Resource for it.

The idea is to have in the recipes only common code, the recipe should be the orchestrator that will call the resource to perform OS specific actions.

In this way if we want to fix/test/search code for a specific OS we don't need to search in all the recipes but we can rely on the resources.
Then if we want to add/remove support for a specific OS we just need to update the resources avoiding to touch the recipes.

In this case we can create a resource called "service_manager" or something like this and call it directly in in the install recipe, with a different flavour for alinux2, ubuntu, u22, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. Refactoring captured in our backlog. We will decouple the refactoring from this change though.

action %i(disable stop mask)
end unless on_docker?

# Necessary on Ubuntu 22
service 'wpa_supplicant' do
action %i(disable stop mask)
end unless on_docker?
12 changes: 12 additions & 0 deletions cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,18 @@
is_expected.to stop_service('log4j-cve-2021-44228-hotpatch')
is_expected.to mask_service('log4j-cve-2021-44228-hotpatch')
end

it 'disables cups' do
is_expected.to disable_service('cups')
is_expected.to stop_service('cups')
is_expected.to mask_service('cups')
end

it 'disables wpa_supplicant' do
is_expected.to disable_service('wpa_supplicant')
is_expected.to stop_service('wpa_supplicant')
is_expected.to mask_service('wpa_supplicant')
end
end
end
end
52 changes: 30 additions & 22 deletions cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,38 +10,46 @@
# See the License for the specific language governing permissions and limitations under the License.

control 'tag:testami_tag:config_services_disabled_on_debian_family' do
title 'Test that DLAMI multi eni helper is disabled and masked on debian family'
services = %w(aws-ubuntu-eni-helper wpa_supplicant)

title "Test that #{services.join(',')} are disabled and masked on debian family"

only_if { os_properties.debian_family? && !os_properties.on_docker? }

describe service('aws-ubuntu-eni-helper') do
it { should_not be_enabled }
it { should_not be_running }
end
services.each do |service_name|
describe service(service_name) do
it { should_not be_enabled }
it { should_not be_running }
end

describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /aws-ubuntu-eni-helper.service\s*masked/ }
describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /#{service_name}.service\s*masked/ }
end
end
end

control 'tag:testami_tag:config_services_disabled_on_amazon_family' do
title 'Test that log4j-cve-2021-44228-hotpatch is disabled and masked on amazon family'
services = %w(log4j-cve-2021-44228-hotpatch cups)

only_if { os_properties.amazon_family? && !os_properties.on_docker? }
title "Test that #{services.join(',')} are disabled and masked on amazon family"

describe service('log4j-cve-2021-44228-hotpatch') do
it { should_not be_enabled }
it { should_not be_running }
end

describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /log4j-cve-2021-44228-hotpatch.service\s*masked/ }
end
only_if { os_properties.amazon_family? && !os_properties.on_docker? }

describe bash('systemctl show -p LoadState log4j-cve-2021-44228-hotpatch') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /LoadState=masked/ }
services.each do |service_name|
describe service(service_name) do
it { should_not be_enabled }
it { should_not be_running }
end

describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /#{service_name}.service\s*masked/ }
end

describe bash("systemctl show -p LoadState #{service_name}") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /LoadState=masked/ }
end
end
end
Loading