|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
There are several daemons i RHEL 6.8 installation that few people understadn
CentOS 6 - Initial Settings - Configure Services Server World
abrt-ccpp Chapter 27. Automatic Bug Reporting Tool (ABRT)
acpid needed for power button to shut down server gently 1.2. acpid
mdmonitor not needed unless you are using multipath or software RAID See 6.3.6. Preserving the Configuration and mdadm - Wikipedia
blk-availability service is used as a helper program which correctly unmounts/disables
LVM when shutting the system down. If you do not use LVM you not need this daemon to be running.
auditd(8) Audit daemon - Linux man page
spice-vdagentd used for adjust resolution of virtual machine in RHEV environments then if the user does not use rhev env, please ignore this service and stop this service from your system.
The set of daemons in RHEL6.8 is substantially different firm the set in RHEL 5 and even from RHEL 6.5.
[root@centos ~]# chkconfig --list
NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
bluetooth 0:off 1:off 2:off 3:on 4:on 5:on 6:off
certmonger 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dnsmasq 0:off 1:off 2:off 3:off 4:off 5:off 6:off
firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
htcacheclean 0:off 1:off 2:off 3:off 4:off 5:off 6:off
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfs-rdma 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpdate 0:off 1:off 2:off 3:off 4:off 5:off 6:off
oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pppoe-server 0:off 1:off 2:off 3:off 4:off 5:off 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
quota_nld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdma 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rngd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
spice-vdagentd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wdaemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
rsync: off
tcpmux-server: off
time-dgram: off
time-stream: off
Less daemons can be called redundant for a typical server. Still some of daemons mentioned below does not make any sense for a server connected via cable and residing in a rack. Among those that you can consider disabling, we can mention:
# chkconfig avahi-daemon off # chkconfig cups off # chkconfig NetworkManager off # chkconfig iptables off (at least temprorary until you have time to configure and test it properly # chkconfig bluetooth offAvahi is good example here. It actually disappeared in REHEL 6.8. Avahi is a free Apple zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug their computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as advertising the network services running on the machine. It is useless for a server connected via cable and sitting a rack.
If you want to go further and do not use LVM like most HPC nodes, the additional candadates are
chkconfig lvm2-monitor off chkconfig kdump off chkconfig blk-availability off chkconfig mdmonitor off chkconfig spice-vdagentd off
A couple of daemons that are off for enterprise servers should always be on:
# chkconfig ntpd on # service ntpd start
chkconfig atd pn
Here are another two useful daemons
chkconfig vsftpd on chkconfig nfs on
After you perform those step the resulting configuration looks like:
# chkconfig --list | fgrep ":on" abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off abrt-oops 0:off 1:off 2:off 3:on 4:off 5:on 6:off abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off fcoe 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off kdump 0:off 1:off 2:off 3:on 4:on 5:on 6:off libvirt-guests 0:off 1:off 2:on 3:on 4:on 5:on 6:off lldpad 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off mcelogd 0:off 1:off 2:off 3:off 4:off 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhsmcertd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off spice-vdagentd 0:off 1:off 2:off 3:off 4:off 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
You can disable additional daemons if you need higher security. See SCAP: Guide To The Secure Configuration of Red Hat Enterprise Linux 5
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
3.1.1 - Determine which Services are Enabled at BootRun the command: # chkconfig --list | grep :on The first column of this output is the name of a service which is currently enabled at boot. Review each listed service to determine whether it can be disabled. If it is appropriate to disable some service srvname , do so using the command: # chkconfig srvname off Use the guidance below for information about unfamiliar services.
3.1.2 - Guidance on Default ServicesThe table in this section contains a list of all services which are enabled at boot by a default RHEL5 installation. For each service, one of the following recommendations is made: * Enable: The service provides a significant capability with limited risk exposure. Leave the service enabled. * Configure: The service either is required for most systems to function properly or provides an important security function. It should be left enabled by most environments. However, it must be configured securely on all machines, and different options may be needed for workstations than for servers. See the referenced section for recommended configuration of this service. * Disable if possible: The service opens the system to some risk, but may be required by some environments. See the appropriate section of the guide, and disable the service if at all possible. * Servers only: The service provides some function to other machines over the network. If that function is needed in the target environment, the service should remain enabled only on a small number of dedicated servers, and should be disabled on all other machines on the network. Service name Action Reference acpid Enable 3.3.15.2 anacron Disable if possible 3.4 apmd Disable if possible 3.3.15.1 atd Configure 3.4 auditd Configure 2.6.2 Service name Action Reference autofs Disable if possible 2.2.2.3 avahi-daemon Disable if possible 3.7 bluetooth Disable if possible 3.3.14 cpuspeed Enable 3.3.15.3 crond Configure 3.4 cups Disable if possible 3.8 firstboot Disable if possible 3.3.1 gpm Disable if possible 3.3.2 haldaemon Disable if possible 3.3.13.2 hidd Disable if possible 3.3.14.2 hplip Disable if possible 3.8.4.1 ip6tables Configure 2.5.5 iptables Configure 2.5.5 irqbalance Enable 3.3.3 isdn Disable if possible 3.3.4 kdump Disable if possible 3.3.5 kudzu Disable if possible 3.3.6 mcstrans Disable if possible 2.4.3.2 (SELinux) mdmonitor Disable if possible 3.3.7 messagebus Disable if possible 3.3.13.1 microcode ctl Disable if possible 3.3.8 netfs Disable if possible 3.13 (NFS) network Enable 3.3.9 nfslock Disable if possible 3.13 (NFS) pcscd Disable if possible 3.3.10 portmap Disable if possible 3.13 (NFS) readahead early Disable if possible 3.3.12 readahead later Disable if possible 3.3.12 restorecond Enable 2.4.3.3 (SELinux) rhnsd Disable if possible 2.1.2.2 rpcgssd Disable if possible 3.13 (NFS) rpcidmapd Disable if possible 3.13 (NFS) sendmail Configure 3.11 setroubleshoot Disable if possible 2.4.3.1 (SELinux) smartd Enable 3.3.11 sshd Servers only 3.5 syslog Configure 2.6.1 xfs Disable if possible 3.6 (X11) yum-updatesd Disable if possible 2.1.2.3.2
3.1.3 - Guidance for Unfamiliar ServicesIf the system is running any services which have not been covered, determine what these services do, and disable them if they are not needed or if they pose a high risk. If a service srvname is unknown, try running: $ rpm -qf /etc/init.d/srvname to discover which RPM package installed the service. Then, run: $ rpm -qi rpmname for a brief description of what that RPM does.
3.2 - Obsolete ServicesThis section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this consensus, these services are not installed as part of RHEL5 by default. Organizations which are running these services should prioritize switching to more secure services which provide the needed functionality. If it is absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software (see Section 2.5.5) to restrict access to the vulnerable service to only those remote hosts which have a known need to use it.
3.2.1 - Inetd and XinetdIs there an operational need to run the deprecated inetd or xinetd software packages? If not, ensure that they are removed from the system: # yum erase inetd xinetd Beginning with Red Hat Enterprise Linux 5, the xinetd service is no longer installed by default. This change represents increased awareness that the dedicated network listener model does not improve security or reliability of services, and that restriction of network listeners is better handled using a granular model such as SELinux than using xinetd's limited security options.
CCE-4234-1 Inetd and Xinetd The inetd service should be enabled or disabled as appropriate.
CCE-4252-3 Inetd and Xinetd The xinetd service should be enabled or disabled as appropriate.
CCE-4023-8 Inetd and Xinetd The inetd package should be installed or uninstalled as appropriate.
3.2.2 - Telnet
CCE-4164-0 Inetd and Xinetd The xifnetd package should be installed or uninstalled as appropriate.
Is there a mission-critical reason for users to access the system via the insecure telnet protocol, rather than the more secure SSH protocol? If not, ensure that the telnet server is removed from the system: # yum erase telnet-server The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network, and also that outsiders can easily hijack the session to gain authenticated access to the telnet server. Organizations which use telnet should be actively working to migrate to a more secure protocol. See Section 3.5 for information about the SSH service.
CCE-3390-2 Telnet The telnet service should be enabled or disabled as appropriate.
3.2.3 - Rlogin, Rsh, and Rcp
CCE-4330-7 Telnet The telnet-server package should be installed or uninstalled as appropriate.
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
3.2.3.1 - Remove the Rsh Server Commands from the SystemIs there a mission-critical reason for users to access the system via the insecure rlogin, rsh, or rcp commands rather than the more secure ssh and scp? If not, ensure that the rsh server is removed from the system: # yum erase rsh-server SSH was designed to be a drop-in replacement for the r-commands, which suffer from the same hijacking and eavesdropping problems as telnet. There is unlikely to be a case in which these commands cannot be replaced with SSH.
CCE-3974-3 Remove the Rsh Server Commands from the System The rcp service should be enabled or disabled as appropriate.
CCE-4141-8 Remove the Rsh Server Commands from the System The rsh service should be enabled or disabled as appropriate.
CCE-3537-8 Remove the Rsh Server Commands from the System The rlogin service should be enabled or disabled as appropriate.
3.2.3.2 - Remove .rhosts Support from PAM Configuration Files
CCE-4308-3 Remove the Rsh Server Commands from the System The rsh packagee should be installed or uninstalled as appropriate.
Check that pam rhosts authentication is not used by any PAM services. Run the command: # grep -l pam rhosts /etc/pam.d/* This command should return no output. The RHEL5 default is not to rely on .rhosts or /etc/hosts.equiv for any PAM-based services, so, on an uncustomized system, this command should return no output. If any files do use pam rhosts, modify them to make use of a more secure authentication method instead. For more information about PAM, see Section 2.3.3.
3.2.4 - NISThe NIS client service ypbind is not activated by default. In the event that it was activated at some point, disable it by executing the command: # chkconfig ypbind off The NIS server package is not installed by default. In the event that it was installed at some point, remove it from the system by executing the command: # yum erase ypserv The Network Information Service (NIS), also known as "Yellow Pages" (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information.
CCE-3705-1 NIS The ypbind service should be enabled or disabled as appropriate.
3.2.5 - TFTP Server
CCE-4348-9 NIS The ypserv package should be installed or uninstalled as appropriate.
Is there an operational need to run the deprecated TFTP server software? If not, ensure that it is removed from the system: # yum erase tftp-server TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems fre77 quently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found.
CCE-4273-9 TFTP Server The tftp service should be enabled or disabled as appropriate.
3.3 - BaseServices
CCE-3916-4 TFTP Server The tftp-server package should be installed or uninstalled as appropriate.
This section addresses the base services that are configured to start up on boot in a RHEL5 default installation. Some of these services listen on the network and should be treated with particular discretion. The other services are local system utilities that may or may not be extraneous. Each of these services should be disabled if not required.
3.3.1 - Installation Helper Service (firstboot)Firstboot is a daemon specific to the Red Hat installation process. It handles "one-time" configuration following successful installation of the operating system. As such, there is no reason for this service to remain enabled. Disable firstboot by issuing the command: # chkconfig firstboot off
3.3.2 - Console Mouse Service (gpm)
CCE-3412-4 Installation Helper Service (firstboot) The firstboot service should be enabled or disabled as appropriate.
GPM is the service that controls the text console mouse pointer. (The X Windows mouse pointer is unaffected by this service.) If mouse functionality in the console is not required, disable this service: # chkconfig gpm off Although it is preferable to run as few services as possible, the console mouse pointer can be useful for preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.
3.3.3 - Interrupt Distribution on Multiprocessor Systems (irqbalance)
CCE-4229-1 Console Mouse Service (gpm) The gpm service should be enabled or disabled as appropriate.
The goal of the irqbalance service is to optimize the balance between power savings and performance through distribution of hardware interrupts across multiple processors. In a server environment with multiple processors, this provides a useful service and should be left enabled. If a machine has only one processor, the service may be disabled: # chkconfig irqbalance off
3.3.4 - ISDN Support (isdn)
CCE-4123-6 Interrupt Distribution on Multiprocessor Systems (irqbalance) The irqbalance service should be enabled or disabled as appropriate.
The ISDN service facilitates Internet connectivity in the presence of an ISDN modem. If an ISDN modem is not being used, disable this service: # chkconfig isdn off
3.3.5 - Kdump Kernel Crash Analyzer (kdump)
CCE-4286-1 ISDN Support (isdn) The isdn service should be enabled or disabled as appropriate.
Kdump is a new kernel crash dump analyzer. It uses kexec to boot a secondary kernel ("capture" kernel) following a system crash. The kernel dump from the system crash is loaded into the capture kernel for analysis. Unless the system is used for kernel development or testing, disable the service: # chkconfig kdump off
3.3.6 - Kudzu Hardware Probing Utility (kudzu)
CCE-3425-6 Kdump Kernel Crash Analyzer (kdump) The kdump service should be enabled or disabled as appropriate.
Is there a mission-critical reason for console users to add new hardware to the system? If not: # chkconfig kudzu off Kudzu, Red Hat's hardware detection program, represents an unnecessary security risk as it allows unprivileged users to perform hardware configuration without authorization. Unless this specific functionality is required, Kudzu should be disabled.
3.3.7 - Software RAID Monitor (mdmonitor)
CCE-4211-9 Kudzu Hardware Probing Utility (kudzu) The kudzu service should be enabled or disabled as appropriate.
The mdmonitor service is used for monitoring a software RAID (hardware RAID setups do not use this service). This service is extraneous unless software RAID is in use (which is not common). If software RAID monitoring is not required, disable this service: # chkconfig mdmonitor off
3.3.8 - IA32 Microcode Utility(microcodectl)
CCE-3854-7 Software RAID Monitor (mdmonitor) The mdmonitor service should be enabled or disabled as appropriate.
microcode ctl is a microcode utility for use with Intel IA32 processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc) If the system is not running an Intel IA32 processor, disable this service: # chkconfig microcode ctl off
3.3.9 - Network Service (network)
CCE-4356-2 IA32 Microcode Utility(microcodectl) The microcode_ctl service should be enabled or disabled as appropriate.
The network service allows associated network interfaces to access the network. This section contains general guidance for controlling the operation of the service. For kernel parameters which affect networking, see Section
3.3.9.1 - Disable All Networking if Not Needed
CCE-4369-5 Network Service (network) The network service should be enabled or disabled as appropriate.
If the system is a standalone machine with no need for network access or even communication over the loopback device, then disable this service: # chkconfig network off
3.3.9.2 - Disable All External Network Interfaces if Not NeededIf the system does not require network communications but still needs to use the loopback interface, remove all files of the form ifcfg-interface except for ifcfg-lo from /etc/sysconfig/network-scripts: # rm /etc/sysconfig/network-scripts/ifcfg-interface
3.3.9.3 - Disable Zeroconf NetworkingZeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 169.245.0.0 subnet, add or correct the following line in /etc/sysconfig/network: NOZEROCONF=yes Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server.
3.3.10 - Smart Card Support (pcscd)The pcscd service provides support for Smart Cards and Smart Card Readers. If Smart Cards are not in use on the system, disable this service: # chkconfig pcscd off
3.3.11 - SMART Disk Monitoring Support (smartd)
CCE-4100-4 Smart Card Support (pcscd) The pcscd service should be enabled or disabled as appropriate.
SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. This technology is considered to bring relatively low security risk, and can be useful. Leave this service running if the system's hard drives are SMART-capable. Otherwise, disable it: # chkconfig smartd off
3.3.12 - Boot Caching (readahead early/readahead later)
CCE-3455-3 SMART Disk Monitoring Support (smartd) The smartd service should be enabled or disabled as appropriate.
The following services provide one-time caching of files belonging to some boot services, with the goal of allowing the system to boot faster. It is recommended that this service be disabled on most machines: # chkconfig readahead early off # chkconfig readahead later off The readahead services do not substantially increase a system's risk exposure, but they also do not provide great benefit. Unless the system is running a specialized application for which the file caching substantially improves system boot time, this guide recommends disabling the services.
CCE-4421-4 Boot Caching (readahead early/readahead later) The readahead_early service should be enabled or disabled as appropriate.
3.3.13 - Application Support Services
CCE-4302-6 Boot Caching (readahead early/readahead later) The readahead_later service should be enabled or disabled as appropriate.
The following services are software projects of freedesktop.org that are meant to provide system integration through a series of common APIs for applications. They are heavily integrated into the X Windows environment. If the system is not using X Windows, these services can typically be disabled.
3.3.13.1 - D-Bus IPC Service (messagebus)D-Bus is an IPC mechanism that provides a common channel for inter-process communication. If no services which require D-Bus are in use, disable this service: # chkconfig messagebus off A number of default services make use of D-Bus, including X Windows (Section 3.6), Bluetooth (Section 3.3.14) and Avahi (Section 3.7). This guide recommends that D-Bus and all its dependencies be disabled unless there is a mission-critical need for them. Stricter configuration of D-Bus is possible and documented in the man page dbus-daemon(1). D-Bus maintains two separate configuration files, located in /etc/dbus-1/, one for system-specific configuration and the other for session-specific configuration.
3.3.13.2 - HAL Daemon (haldaemon)
CCE-3822-4 D-Bus IPC Service (messagebus) The messagebus service should be enabled or disabled as appropriate.
The haldaemon service provides a dynamic way of managing device interfaces. It automates device configuration and provides an API for making devices accessible to applications through the D-Bus interface.
3.3.13.2.1 - Disable HAL Daemon if Possible
CCE-4364-6 HAL Daemon (haldaemon) The haldaemon service should be enabled or disabled as appropriate.
HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary: # chkconfig haldaemon off
3.3.13.2.2 - Configure HAL Daemon if NecessaryHAL provides a limited user the ability to mount system devices. This is primarily used by X utilities such as gnome-volume-manager to perform automounting of removable media. HAL configuration is currently only possible through a series of fdi files located in /usr/share/hal/fdi/ Note: The HAL future road map includes a mandatory framework for managing administrative privileges called PolicyKit. To prevent users from accessing devices through HAL, create the file /etc/hal/fdi/policy/99-policy-all-drives.fdi with the contents: <?xml version="1.0" encoding="UTF-8"?> <deviceinfo version="0.2"> <device> <match key="info.capabilities" contains="volume"> <merge key="volume.ignore" type="bool">true</merge> </match> </device> </deviceinfo> The above code matches any device labeled with the volume capability (any device capable of being mounted will be labeled this way) and sets the corresponding volume.ignore key to true, indicating that the volume should be ignored. This both makes the volume invisible to the UI, and denies mount attempts by unprivileged users.
3.3.14 - Bluetooth SupportBluetooth provides a way to transfer information between devices such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles over a short-range wireless link. Any wireless communication presents a serious security risk to sensitive or classified systems. Section 2.5.2 contains information on the related topic of wireless networking. Removal of hardware is the only way to ensure that the Bluetooth wireless capability remains disabled. If it is completely impractical to remove the Bluetooth hardware module, and site policy still allows the device to enter sensitive spaces, every effort to disable the capability via software should be made. In general, acquisition policy should include provisions to prevent the purchase of equipment that will be used in sensitive spaces and includes Bluetooth capabilities.
3.3.14.1 - Bluetooth Host Controller Interface Daemon (bluetooth)The bluetooth service enables the system to use Bluetooth devices. If the system requires no Bluetooth devices, disable this service: # chkconfig bluetooth off
3.3.14.2 - Bluetooth Input Devices (hidd)
CCE-4355-4 Bluetooth Host Controller Interface Daemon (bluetooth) The bluetooth service should be enabled or disabled as appropriate.
The hidd service provides support for Bluetooth input devices. If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this service: # chkconfig hidd off
3.3.14.3 - Disable Bluetooth Kernel Modules
CCE-4377-8 Bluetooth Input Devices (hidd) The hidd service should be enabled or disabled as appropriate.
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to /etc/modprobe.conf to prevent the loading of the Bluetooth module: alias net-pf-31 off The unexpected name, net-pf-31, is a result of how the kernel requests modules for network protocol families; it is an alias for the bluetooth module.
3.3.15 - Power Management SupportThe following services provide an interface to power management functions. These functions include monitoring battery power, system hibernate/suspend, CPU throttling, and various power-save utilities.
3.3.15.1 - Advanced Power Management Subsystem (apmd)The apmd service provides last generation power management support. If the system is capable of ACPI support, or if power management is not necessary, disable this service: # chkconfig apmd off APM is being replaced by ACPI and should be considered deprecated. As such, it can be disabled if ACPI is supported by your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version information, then APM can safely be disabled without loss of functionality.
3.3.15.2 - Advanced Configuration and Power Interface (acpid)
CCE-4289-5 Advanced Power Management Subsystem (apmd) The apmd service should be enabled or disabled as appropriate.
The acpid service provides next generation power management support. Unless power management features are not necessary, leave this service enabled.
3.3.15.3 - CPU Throttling (cpuspeed)
CCE-4298-6 Advanced Configuration and Power Interface (acpid) The acpid service should be enabled or disabled as appropriate.
The cpuspeed service uses hardware support to throttle the CPU when the system is idle. Unless CPU power optimization is unnecessary, leave this service enabled.
3.4 - Cron and At Daemons
CCE-4051-9 CPU Throttling (cpuspeed) The cpuspeed service should be enabled or disabled as appropriate.
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively.
3.4.1 - Disable anacron if Possible
CCE-4324-0 Cron and At Daemons The crond service should be enabled or disabled as appropriate.
Is this a machine which is designed to run all the time, such as a server or a workstation which is left on at night? If so: # yum erase anacron The anacron subsystem is designed to provide cron functionality for machines which may be shut down during the normal times that system cron jobs run, frequently in the middle of the night. Laptops and workstations which are shut down at night should keep anacron enabled, so that standard system cron jobs will run when the machine boots. However, on machines which do not need this additional functionality, anacron represents another piece of privileged software which could contain vulnerabilities. Therefore, it should be removed when possible to reduce system risk.
CCE-4406-5 Disable anacron if Possible The anacron service should be enabled or disabled as appropriate.
CCE-4428-9 Disable anacron if Possible The anacron package should be installed or uninstalled as appropriate.
Google matched content |
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: July 28, 2019
