|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
|News||RHEL Daemons||Recommended Books||Recommended Links||Disabling the avahi daemon||How to disable SELinux||Checklist for Securing RedHat Li||systemd|
|Cron||Wheel Group||PAM||Networking||NTP configuration||SELinux||LVM||Xinetd|
RHEL daemons structure reflects the fact that Red Hat is sitting between two chairs. Some of daemons mentioned below does not make any sense for an enterprise server. Among daemons that are typically redundant on RHEL 5 servers, we can mention:
cups NetworkManager avahi-daemon ip6tables xend xendomains bluetooth hidd hplip isdn pcscd - PC/SC Smart Card Daemon smb pcscdSE-related daemons:
setroubleshootd restorecond - daemon that watches for file creation and then sets the default SELinux file context
Avahi is good example here. Avahi is a free Apple zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug their computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as advertising the network services running on the machine.
Other daemons that can be removed:
chkconfig bluetooth off chkconfig hidd off chkconfig pand off chkconfig cups off chkconfig hplids off chkconfig ip6tables off chkconfig isdn off chkconfig pcscd off chkconfig setroubleshootd off # if you do not use SElinux
A couple of daemons that should be enabled, but are not enabled by default:
chkconfig vsftpd on chkconfig nfs on
3.1.1 - Determine which Services are Enabled at Boot
Run the command: # chkconfig --list | grep :on The first column of this output is the name of a service which is currently enabled at boot. Review each listed service to determine whether it can be disabled. If it is appropriate to disable some service srvname , do so using the command: # chkconfig srvname off Use the guidance below for information about unfamiliar services.3.1.2 - Guidance on Default Services
The table in this section contains a list of all services which are enabled at boot by a default RHEL5 installation. For each service, one of the following recommendations is made: * Enable: The service provides a significant capability with limited risk exposure. Leave the service enabled. * Configure: The service either is required for most systems to function properly or provides an important security function. It should be left enabled by most environments. However, it must be configured securely on all machines, and different options may be needed for workstations than for servers. See the referenced section for recommended configuration of this service. * Disable if possible: The service opens the system to some risk, but may be required by some environments. See the appropriate section of the guide, and disable the service if at all possible. * Servers only: The service provides some function to other machines over the network. If that function is needed in the target environment, the service should remain enabled only on a small number of dedicated servers, and should be disabled on all other machines on the network. Service name Action Reference acpid Enable 188.8.131.52 anacron Disable if possible 3.4 apmd Disable if possible 184.108.40.206 atd Configure 3.4 auditd Configure 2.6.2 Service name Action Reference autofs Disable if possible 220.127.116.11 avahi-daemon Disable if possible 3.7 bluetooth Disable if possible 3.3.14 cpuspeed Enable 18.104.22.168 crond Configure 3.4 cups Disable if possible 3.8 firstboot Disable if possible 3.3.1 gpm Disable if possible 3.3.2 haldaemon Disable if possible 22.214.171.124 hidd Disable if possible 126.96.36.199 hplip Disable if possible 188.8.131.52 ip6tables Configure 2.5.5 iptables Configure 2.5.5 irqbalance Enable 3.3.3 isdn Disable if possible 3.3.4 kdump Disable if possible 3.3.5 kudzu Disable if possible 3.3.6 mcstrans Disable if possible 184.108.40.206 (SELinux) mdmonitor Disable if possible 3.3.7 messagebus Disable if possible 220.127.116.11 microcode ctl Disable if possible 3.3.8 netfs Disable if possible 3.13 (NFS) network Enable 3.3.9 nfslock Disable if possible 3.13 (NFS) pcscd Disable if possible 3.3.10 portmap Disable if possible 3.13 (NFS) readahead early Disable if possible 3.3.12 readahead later Disable if possible 3.3.12 restorecond Enable 18.104.22.168 (SELinux) rhnsd Disable if possible 22.214.171.124 rpcgssd Disable if possible 3.13 (NFS) rpcidmapd Disable if possible 3.13 (NFS) sendmail Configure 3.11 setroubleshoot Disable if possible 126.96.36.199 (SELinux) smartd Enable 3.3.11 sshd Servers only 3.5 syslog Configure 2.6.1 xfs Disable if possible 3.6 (X11) yum-updatesd Disable if possible 188.8.131.52.23.1.3 - Guidance for Unfamiliar Services
If the system is running any services which have not been covered, determine what these services do, and disable them if they are not needed or if they pose a high risk. If a service srvname is unknown, try running: $ rpm -qf /etc/init.d/srvname to discover which RPM package installed the service. Then, run: $ rpm -qi rpmname for a brief description of what that RPM does.3.2 - Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this consensus, these services are not installed as part of RHEL5 by default. Organizations which are running these services should prioritize switching to more secure services which provide the needed functionality. If it is absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software (see Section 2.5.5) to restrict access to the vulnerable service to only those remote hosts which have a known need to use it.3.2.1 - Inetd and Xinetd
Is there an operational need to run the deprecated inetd or xinetd software packages? If not, ensure that they are removed from the system: # yum erase inetd xinetd Beginning with Red Hat Enterprise Linux 5, the xinetd service is no longer installed by default. This change represents increased awareness that the dedicated network listener model does not improve security or reliability of services, and that restriction of network listeners is better handled using a granular model such as SELinux than using xinetd's limited security options.
CCE-4234-1 Inetd and Xinetd
The inetd service should be enabled or disabled as appropriate.
CCE-4252-3 Inetd and Xinetd
The xinetd service should be enabled or disabled as appropriate.
CCE-4023-8 Inetd and Xinetd
The inetd package should be installed or uninstalled as appropriate.
3.2.2 - Telnet
CCE-4164-0 Inetd and Xinetd
The xifnetd package should be installed or uninstalled as appropriate.
Is there a mission-critical reason for users to access the system via the insecure telnet protocol, rather than the more secure SSH protocol? If not, ensure that the telnet server is removed from the system: # yum erase telnet-server The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network, and also that outsiders can easily hijack the session to gain authenticated access to the telnet server. Organizations which use telnet should be actively working to migrate to a more secure protocol. See Section 3.5 for information about the SSH service.
The telnet service should be enabled or disabled as appropriate.
3.2.3 - Rlogin, Rsh, and Rcp
The telnet-server package should be installed or uninstalled as appropriate.
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.184.108.40.206 - Remove the Rsh Server Commands from the System
Is there a mission-critical reason for users to access the system via the insecure rlogin, rsh, or rcp commands rather than the more secure ssh and scp? If not, ensure that the rsh server is removed from the system: # yum erase rsh-server SSH was designed to be a drop-in replacement for the r-commands, which suffer from the same hijacking and eavesdropping problems as telnet. There is unlikely to be a case in which these commands cannot be replaced with SSH.
CCE-3974-3 Remove the Rsh Server Commands from the System
The rcp service should be enabled or disabled as appropriate.
CCE-4141-8 Remove the Rsh Server Commands from the System
The rsh service should be enabled or disabled as appropriate.
CCE-3537-8 Remove the Rsh Server Commands from the System
The rlogin service should be enabled or disabled as appropriate.
220.127.116.11 - Remove .rhosts Support from PAM Configuration Files
CCE-4308-3 Remove the Rsh Server Commands from the System
The rsh packagee should be installed or uninstalled as appropriate.
Check that pam rhosts authentication is not used by any PAM services. Run the command: # grep -l pam rhosts /etc/pam.d/* This command should return no output. The RHEL5 default is not to rely on .rhosts or /etc/hosts.equiv for any PAM-based services, so, on an uncustomized system, this command should return no output. If any files do use pam rhosts, modify them to make use of a more secure authentication method instead. For more information about PAM, see Section 18.104.22.168.2.4 - NIS
The NIS client service ypbind is not activated by default. In the event that it was activated at some point, disable it by executing the command: # chkconfig ypbind off The NIS server package is not installed by default. In the event that it was installed at some point, remove it from the system by executing the command: # yum erase ypserv The Network Information Service (NIS), also known as "Yellow Pages" (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information.
The ypbind service should be enabled or disabled as appropriate.
3.2.5 - TFTP Server
The ypserv package should be installed or uninstalled as appropriate.
Is there an operational need to run the deprecated TFTP server software? If not, ensure that it is removed from the system: # yum erase tftp-server TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems fre77 quently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found.
CCE-4273-9 TFTP Server
The tftp service should be enabled or disabled as appropriate.
3.3 - BaseServices
CCE-3916-4 TFTP Server
The tftp-server package should be installed or uninstalled as appropriate.
This section addresses the base services that are configured to start up on boot in a RHEL5 default installation. Some of these services listen on the network and should be treated with particular discretion. The other services are local system utilities that may or may not be extraneous. Each of these services should be disabled if not required.3.3.1 - Installation Helper Service (firstboot)
Firstboot is a daemon specific to the Red Hat installation process. It handles "one-time" configuration following successful installation of the operating system. As such, there is no reason for this service to remain enabled. Disable firstboot by issuing the command: # chkconfig firstboot off
3.3.2 - Console Mouse Service (gpm)
CCE-3412-4 Installation Helper Service (firstboot)
The firstboot service should be enabled or disabled as appropriate.
GPM is the service that controls the text console mouse pointer. (The X Windows mouse pointer is unaffected by this service.) If mouse functionality in the console is not required, disable this service: # chkconfig gpm off Although it is preferable to run as few services as possible, the console mouse pointer can be useful for preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.
3.3.3 - Interrupt Distribution on Multiprocessor Systems (irqbalance)
CCE-4229-1 Console Mouse Service (gpm)
The gpm service should be enabled or disabled as appropriate.
The goal of the irqbalance service is to optimize the balance between power savings and performance through distribution of hardware interrupts across multiple processors. In a server environment with multiple processors, this provides a useful service and should be left enabled. If a machine has only one processor, the service may be disabled: # chkconfig irqbalance off
3.3.4 - ISDN Support (isdn)
CCE-4123-6 Interrupt Distribution on Multiprocessor Systems (irqbalance)
The irqbalance service should be enabled or disabled as appropriate.
The ISDN service facilitates Internet connectivity in the presence of an ISDN modem. If an ISDN modem is not being used, disable this service: # chkconfig isdn off
3.3.5 - Kdump Kernel Crash Analyzer (kdump)
CCE-4286-1 ISDN Support (isdn)
The isdn service should be enabled or disabled as appropriate.
Kdump is a new kernel crash dump analyzer. It uses kexec to boot a secondary kernel ("capture" kernel) following a system crash. The kernel dump from the system crash is loaded into the capture kernel for analysis. Unless the system is used for kernel development or testing, disable the service: # chkconfig kdump off
3.3.6 - Kudzu Hardware Probing Utility (kudzu)
CCE-3425-6 Kdump Kernel Crash Analyzer (kdump)
The kdump service should be enabled or disabled as appropriate.
Is there a mission-critical reason for console users to add new hardware to the system? If not: # chkconfig kudzu off Kudzu, Red Hat's hardware detection program, represents an unnecessary security risk as it allows unprivileged users to perform hardware configuration without authorization. Unless this specific functionality is required, Kudzu should be disabled.
3.3.7 - Software RAID Monitor (mdmonitor)
CCE-4211-9 Kudzu Hardware Probing Utility (kudzu)
The kudzu service should be enabled or disabled as appropriate.
The mdmonitor service is used for monitoring a software RAID (hardware RAID setups do not use this service). This service is extraneous unless software RAID is in use (which is not common). If software RAID monitoring is not required, disable this service: # chkconfig mdmonitor off
3.3.8 - IA32 Microcode Utility(microcodectl)
CCE-3854-7 Software RAID Monitor (mdmonitor)
The mdmonitor service should be enabled or disabled as appropriate.
microcode ctl is a microcode utility for use with Intel IA32 processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc) If the system is not running an Intel IA32 processor, disable this service: # chkconfig microcode ctl off
3.3.9 - Network Service (network)
CCE-4356-2 IA32 Microcode Utility(microcodectl)
The microcode_ctl service should be enabled or disabled as appropriate.
The network service allows associated network interfaces to access the network. This section contains general guidance for controlling the operation of the service. For kernel parameters which affect networking, see Section
22.214.171.124 - Disable All Networking if Not Needed
CCE-4369-5 Network Service (network)
The network service should be enabled or disabled as appropriate.
If the system is a standalone machine with no need for network access or even communication over the loopback device, then disable this service: # chkconfig network off126.96.36.199 - Disable All External Network Interfaces if Not Needed
If the system does not require network communications but still needs to use the loopback interface, remove all files of the form ifcfg-interface except for ifcfg-lo from /etc/sysconfig/network-scripts: # rm /etc/sysconfig/network-scripts/ifcfg-interface188.8.131.52 - Disable Zeroconf Networking
Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 184.108.40.206 subnet, add or correct the following line in /etc/sysconfig/network: NOZEROCONF=yes Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server.3.3.10 - Smart Card Support (pcscd)
The pcscd service provides support for Smart Cards and Smart Card Readers. If Smart Cards are not in use on the system, disable this service: # chkconfig pcscd off
3.3.11 - SMART Disk Monitoring Support (smartd)
CCE-4100-4 Smart Card Support (pcscd)
The pcscd service should be enabled or disabled as appropriate.
SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. This technology is considered to bring relatively low security risk, and can be useful. Leave this service running if the system's hard drives are SMART-capable. Otherwise, disable it: # chkconfig smartd off
3.3.12 - Boot Caching (readahead early/readahead later)
CCE-3455-3 SMART Disk Monitoring Support (smartd)
The smartd service should be enabled or disabled as appropriate.
The following services provide one-time caching of files belonging to some boot services, with the goal of allowing the system to boot faster. It is recommended that this service be disabled on most machines: # chkconfig readahead early off # chkconfig readahead later off The readahead services do not substantially increase a system's risk exposure, but they also do not provide great benefit. Unless the system is running a specialized application for which the file caching substantially improves system boot time, this guide recommends disabling the services.
CCE-4421-4 Boot Caching (readahead early/readahead later)
The readahead_early service should be enabled or disabled as appropriate.
3.3.13 - Application Support Services
CCE-4302-6 Boot Caching (readahead early/readahead later)
The readahead_later service should be enabled or disabled as appropriate.
The following services are software projects of freedesktop.org that are meant to provide system integration through a series of common APIs for applications. They are heavily integrated into the X Windows environment. If the system is not using X Windows, these services can typically be disabled.220.127.116.11 - D-Bus IPC Service (messagebus)
D-Bus is an IPC mechanism that provides a common channel for inter-process communication. If no services which require D-Bus are in use, disable this service: # chkconfig messagebus off A number of default services make use of D-Bus, including X Windows (Section 3.6), Bluetooth (Section 3.3.14) and Avahi (Section 3.7). This guide recommends that D-Bus and all its dependencies be disabled unless there is a mission-critical need for them. Stricter configuration of D-Bus is possible and documented in the man page dbus-daemon(1). D-Bus maintains two separate configuration files, located in /etc/dbus-1/, one for system-specific configuration and the other for session-specific configuration.
18.104.22.168 - HAL Daemon (haldaemon)
CCE-3822-4 D-Bus IPC Service (messagebus)
The messagebus service should be enabled or disabled as appropriate.
The haldaemon service provides a dynamic way of managing device interfaces. It automates device configuration and provides an API for making devices accessible to applications through the D-Bus interface.
22.214.171.124.1 - Disable HAL Daemon if Possible
CCE-4364-6 HAL Daemon (haldaemon)
The haldaemon service should be enabled or disabled as appropriate.
HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary: # chkconfig haldaemon off126.96.36.199.2 - Configure HAL Daemon if Necessary
HAL provides a limited user the ability to mount system devices. This is primarily used by X utilities such as gnome-volume-manager to perform automounting of removable media. HAL configuration is currently only possible through a series of fdi files located in /usr/share/hal/fdi/ Note: The HAL future road map includes a mandatory framework for managing administrative privileges called PolicyKit. To prevent users from accessing devices through HAL, create the file /etc/hal/fdi/policy/99-policy-all-drives.fdi with the contents: <?xml version="1.0" encoding="UTF-8"?> <deviceinfo version="0.2"> <device> <match key="info.capabilities" contains="volume"> <merge key="volume.ignore" type="bool">true</merge> </match> </device> </deviceinfo> The above code matches any device labeled with the volume capability (any device capable of being mounted will be labeled this way) and sets the corresponding volume.ignore key to true, indicating that the volume should be ignored. This both makes the volume invisible to the UI, and denies mount attempts by unprivileged users.3.3.14 - Bluetooth Support
Bluetooth provides a way to transfer information between devices such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles over a short-range wireless link. Any wireless communication presents a serious security risk to sensitive or classified systems. Section 2.5.2 contains information on the related topic of wireless networking. Removal of hardware is the only way to ensure that the Bluetooth wireless capability remains disabled. If it is completely impractical to remove the Bluetooth hardware module, and site policy still allows the device to enter sensitive spaces, every effort to disable the capability via software should be made. In general, acquisition policy should include provisions to prevent the purchase of equipment that will be used in sensitive spaces and includes Bluetooth capabilities.188.8.131.52 - Bluetooth Host Controller Interface Daemon (bluetooth)
The bluetooth service enables the system to use Bluetooth devices. If the system requires no Bluetooth devices, disable this service: # chkconfig bluetooth off
184.108.40.206 - Bluetooth Input Devices (hidd)
CCE-4355-4 Bluetooth Host Controller Interface Daemon (bluetooth)
The bluetooth service should be enabled or disabled as appropriate.
The hidd service provides support for Bluetooth input devices. If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this service: # chkconfig hidd off
220.127.116.11 - Disable Bluetooth Kernel Modules
CCE-4377-8 Bluetooth Input Devices (hidd)
The hidd service should be enabled or disabled as appropriate.
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to /etc/modprobe.conf to prevent the loading of the Bluetooth module: alias net-pf-31 off The unexpected name, net-pf-31, is a result of how the kernel requests modules for network protocol families; it is an alias for the bluetooth module.3.3.15 - Power Management Support
The following services provide an interface to power management functions. These functions include monitoring battery power, system hibernate/suspend, CPU throttling, and various power-save utilities.18.104.22.168 - Advanced Power Management Subsystem (apmd)
The apmd service provides last generation power management support. If the system is capable of ACPI support, or if power management is not necessary, disable this service: # chkconfig apmd off APM is being replaced by ACPI and should be considered deprecated. As such, it can be disabled if ACPI is supported by your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version information, then APM can safely be disabled without loss of functionality.
22.214.171.124 - Advanced Configuration and Power Interface (acpid)
CCE-4289-5 Advanced Power Management Subsystem (apmd)
The apmd service should be enabled or disabled as appropriate.
The acpid service provides next generation power management support. Unless power management features are not necessary, leave this service enabled.
126.96.36.199 - CPU Throttling (cpuspeed)
CCE-4298-6 Advanced Configuration and Power Interface (acpid)
The acpid service should be enabled or disabled as appropriate.
The cpuspeed service uses hardware support to throttle the CPU when the system is idle. Unless CPU power optimization is unnecessary, leave this service enabled.
3.4 - Cron and At Daemons
CCE-4051-9 CPU Throttling (cpuspeed)
The cpuspeed service should be enabled or disabled as appropriate.
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively.
3.4.1 - Disable anacron if Possible
CCE-4324-0 Cron and At Daemons
The crond service should be enabled or disabled as appropriate.
Is this a machine which is designed to run all the time, such as a server or a workstation which is left on at night? If so: # yum erase anacron The anacron subsystem is designed to provide cron functionality for machines which may be shut down during the normal times that system cron jobs run, frequently in the middle of the night. Laptops and workstations which are shut down at night should keep anacron enabled, so that standard system cron jobs will run when the machine boots. However, on machines which do not need this additional functionality, anacron represents another piece of privileged software which could contain vulnerabilities. Therefore, it should be removed when possible to reduce system risk.
CCE-4406-5 Disable anacron if Possible
The anacron service should be enabled or disabled as appropriate.
CCE-4428-9 Disable anacron if Possible
The anacron package should be installed or uninstalled as appropriate.
Google matched content
Configuring logrotate Red Hat documentation
Slicehost Articles- Understanding logrotate on RHEL - part 1
15.3. Configuring Logs
Log Rotation for MySQL using logrotate
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March 12, 2019