5.4 Minimizing Active Services

Restrict services to only those that a server requires. The default installation for an Oracle Linux server configures a minimal set of services:

cupsd and lpd (print services)

sendmail (email delivery service)

sshd (openSSH services)

If possible, configure one type of service per physical machine, virtual machine, or Linux Container. This technique limits exposure if a system is compromised.

If a service is not used, remove the software packages that are associated with the service. If it is not possible to remove a service because of software dependencies, use the chkconfig and service commands to disable the service.

For services that are in use, apply the latest Oracle support patches and security updates to keep software packages up to date. To protect against unauthorized changes, ensure that the /etc/services file is owned by root and writable only by root.

# ls -Z /etc/services
-rw-r--r--. root root system_u:object_r:etc_t:SystemLow /etc/services

Unless specifically stated otherwise, consider disabling the services in the following table if they are not used on your system:

Service

Description

anacron

Executes commands periodically. Primarily intended for use on laptop and user desktop machines that do not run continuously.

apmd

(Advanced Power Management Daemon) Provides information on power management and battery status, and allows programmed response to power management events. Primarily intended for use on laptop machines.

automount

Manages mount points for the automatic file-system mounter. Disable this service on servers that do not require automounter functionality.

bluetooth

Supports the connections of Bluetooth devices. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.

firstboot

Configures a system when you first log in after installation. Controlled by the /etc/rc.d/init.d/firstboot script. firstboot does not run unless RUN_FIRSTBOOT=YES is set in /etc/sysconfig/firstboot. If /etc/reconfigSys exists or if you specify reconfig in the kernel boot arguments, firstboot runs in reconfiguration mode. Disable this service on servers following successful installation.

gpm

(General Purpose Mouse) Provides support for the mouse pointer in a text console.

haldaemon

(Hardware Abstraction Layer Daemon) Maintains a real-time database of the devices that are connected to a system. Applications can use the HAL API to discover and interact with newly attached devices. Primarily intended for use on laptop and user desktop machines to support hot-plug devices.

Caution

Do not disable this service. Many applications rely on this functionality.

hidd

(Bluetooth Human Interface Device daemon) Provides support for Bluetooth input devices such as a keyboard or mouse. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.

irqbalance

Distributes hardware interrupts across processors on a multiprocessor system. Disable this service on servers that do not require this functionality.

iscsi

Controls logging in to iSCSI targets and scanning of iSCSI devices. Disable this service on servers that do not access iSCSI devices.

iscsid

Implements control and management for the iSCSI protocol. Disable this service on servers that do not access iSCSI devices.

kdump

Allows a kdump kernel to be loaded into memory at boot time or a kernel dump to be saved if the system panics. Disable this service on servers that you do not use for debugging or testing.

mcstrans

Controls the SELinux Context Translation System service.

mdmonitor

Checks the status of all software RAID arrays on the system. Disable this service on servers that do not use software RAID.

messagebus

Broadcasts notifications of system events and other messages relating to hardware events via the system-wide D-BUS message bus.

Caution

Do not disable this service. Many applications rely on this functionality.

microcode_ctl

Runs microcode that is required for IA32 processors only. Disable this service on servers that do not have such processors.

pcscd

(PC/SC Smart Card Daemon) Supports communication with smart-card readers. Primarily intended for use on laptop and user desktop machines to support smart-card authentication. Disable this service on servers that do not use smart-card authentication.

sandbox

Sets up /tmp, /var/tmp, and home directories to be used with the pam_namespace, sandbox, and xguest application confinement utilities. Disable this service if you do not use these programs.

setroubleshoot

Controls the SELinux Troubleshooting service, which provides information about SELinux Access Vector Cache (AVC) denials to the sealert tool.

smartd

Communicates with the Self-Monitoring, Analysis and Reporting Technology (SMART) systems that are integrated into many ATA-3 and later, and SCSI-3 disk drives. SMART systems monitor disk drives to measure reliability, predict disk degradation and failure, and perform drive testing.

xfs

Caches fonts in memory to improve the performance of X Window System applications.

You should consider disabling the following network services if they are not used on your system:

Service

Description

avahi-daemon

Implements Apple's Zero configuration networking (also known as Rendezvous or Bonjour). Primarily intended for use on laptop and user desktop machines to support music and file sharing. Disable this service on servers that do not require this functionality.

cups

Implements the Common UNIX Printing System. Disable this service on servers that do not need to provide this functionality.

hplip

Implements HP Linux Imaging and Printing to support faxing, printing, and scanning operations on HP inkjet and laser printers. Disable this service on servers that do not require this functionality.

isdn

(Integrated Services Digital Network) Provides support for network connections over ISDN devices. Disable this service on servers that do not directly control ISDN devices.

netfs

Mounts and unmounts network file systems, including NCP, NFS, and SMB. Disable this service on servers that do not require this functionality.

network

Activates all network interfaces that are configured to start at boot time.

NetworkManager

Switches network connections automatically to use the best connection that is available.

nfslock

Implements the Network Status Monitor (NSM) used by NFS. Disable this service on servers that do not require this functionality.

nmb

Provides NetBIOS name services used by Samba. Disable this service and remove the samba package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

portmap

Implements Remote Procedure Call (RPC) support for NFS. Disable this service on servers that do not require this functionality.

rhnsd

Queries the Unbreakable Linux Network (ULN) for updates and information.

rpcgssd

Used by NFS. Disable this service on servers that do not require this functionality.

rpcidmapd

Used by NFS. Disable this service on servers that do not require this functionality.

smb

Provides SMB network services used by Samba. Disable this service and remove the samba package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

To stop a service and prevent it from starting when you reboot the system, used the following commands:

# service service_name stop
# chkconfig service_name off

Alternatively, use the Service Configuration GUI (system-config-services) to configure services.