[Security] Disable unused background services: wpa_supplicant and cups.

gmarciani · gmarciani · commit addc64fc7f8b · 2024-02-19T12:50:02.000+01:00
Signed-off-by: Giacomo Marciani &lt;mgiacomo@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 - Add the configuration parameter `DeploymentSettings/DefaultUserHome` to allow users to move the default user's home directory to `/local/home` instead of `/home` (default).
   - SSH connections will be closed and rejected while the user's home directory is being moved during the bootstrapping process.
 - Add possibility to choose between Open and Closed Source Nvidia Drivers when building an AMI, through the ```['cluster']['nvidia']['kernel_open']``` cookbook node attribute.
+- Disable unused background services wpa_supplicant and cups to improve security.
 
 **CHANGES**
 - Upgrade Slurm to 23.11.3 (from 23.02.7).
diff --git a/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb b/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
@@ -27,3 +27,13 @@
 service 'log4j-cve-2021-44228-hotpatch' do
   action %i(disable stop mask)
 end unless on_docker?
+
+# Necessary on Ubuntu and Amazon Linux 2
+service 'cups' do
+  action %i(disable stop mask)
+end unless on_docker?
+
+# Necessary on Ubuntu 22
+service 'wpa_supplicant' do
+  action %i(disable stop mask)
+end unless on_docker?
diff --git a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
@@ -18,6 +18,18 @@
         is_expected.to stop_service('log4j-cve-2021-44228-hotpatch')
         is_expected.to mask_service('log4j-cve-2021-44228-hotpatch')
       end
+
+      it 'disables cups' do
+        is_expected.to disable_service('cups')
+        is_expected.to stop_service('cups')
+        is_expected.to mask_service('cups')
+      end
+
+      it 'disables wpa_supplicant' do
+        is_expected.to disable_service('wpa_supplicant')
+        is_expected.to stop_service('wpa_supplicant')
+        is_expected.to mask_service('wpa_supplicant')
+      end
     end
   end
 end
diff --git a/cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb b/cookbooks/aws-parallelcluster-platform/test/controls/disable_services_spec.rb
@@ -10,38 +10,46 @@
 # See the License for the specific language governing permissions and limitations under the License.
 
 control 'tag:testami_tag:config_services_disabled_on_debian_family' do
-  title 'Test that DLAMI multi eni helper is disabled and masked on debian family'
+  services = %w(aws-ubuntu-eni-helper wpa_supplicant)
+
+  title "Test that #{services.join(',')} are disabled and masked on debian family"
 
   only_if { os_properties.debian_family? && !os_properties.on_docker? }
 
-  describe service('aws-ubuntu-eni-helper') do
-    it { should_not be_enabled }
-    it { should_not be_running }
-  end
+  services.each do |service_name|
+    describe service(service_name) do
+      it { should_not be_enabled }
+      it { should_not be_running }
+    end
 
-  describe bash('systemctl list-unit-files --state=masked --no-legend') do
-    its(:exit_status) { should eq 0 }
-    its(:stdout) { should match /aws-ubuntu-eni-helper.service\s*masked/ }
+    describe bash('systemctl list-unit-files --state=masked --no-legend') do
+      its(:exit_status) { should eq 0 }
+      its(:stdout) { should match /#{service_name}.service\s*masked/ }
+    end
   end
 end
 
 control 'tag:testami_tag:config_services_disabled_on_amazon_family' do
-  title 'Test that log4j-cve-2021-44228-hotpatch is disabled and masked on amazon family'
+  services = %w(log4j-cve-2021-44228-hotpatch cups)
 
-  only_if { os_properties.amazon_family? && !os_properties.on_docker? }
+  title "Test that #{services.join(',')} are disabled and masked on amazon family"
 
-  describe service('log4j-cve-2021-44228-hotpatch') do
-    it { should_not be_enabled }
-    it { should_not be_running }
-  end
-
-  describe bash('systemctl list-unit-files --state=masked --no-legend') do
-    its(:exit_status) { should eq 0 }
-    its(:stdout) { should match /log4j-cve-2021-44228-hotpatch.service\s*masked/ }
-  end
+  only_if { os_properties.amazon_family? && !os_properties.on_docker? }
 
-  describe bash('systemctl show -p LoadState log4j-cve-2021-44228-hotpatch') do
-    its(:exit_status) { should eq 0 }
-    its(:stdout) { should match /LoadState=masked/ }
+  services.each do |service_name|
+    describe service(service_name) do
+      it { should_not be_enabled }
+      it { should_not be_running }
+    end
+
+    describe bash('systemctl list-unit-files --state=masked --no-legend') do
+      its(:exit_status) { should eq 0 }
+      its(:stdout) { should match /#{service_name}.service\s*masked/ }
+    end
+
+    describe bash("systemctl show -p LoadState #{service_name}") do
+      its(:exit_status) { should eq 0 }
+      its(:stdout) { should match /LoadState=masked/ }
+    end
   end
 end
