25.9.4 Minimizing Active Services

The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

25.9.4 Minimizing Active Services

Restrict services to only those that a server requires. The default installation for an Oracle Linux server configures a minimal set of services:

cupsd and lpd (print services)

sendmail (email delivery service)

sshd (openSSH services)

If possible, configure one type of service per physical machine, virtual machine, or Linux Container. This technique limits exposure if a system is compromised.

If a service is not used, remove the software packages that are associated with the service. If it is not possible to remove a service because of software dependencies, use the chkconfig and service commands to disable the service.

For services that are in use, apply the latest Oracle support patches and security updates to keep software packages up to date. To protect against unauthorized changes, ensure that the /etc/services file is owned by root and writable only by root.

# ls -Z /etc/services
-rw-r--r--. root root system_u:object_r:etc_t:SystemLow /etc/services

Unless specifically stated otherwise, consider disabling the services in the following table if they are not used on your system:

Service	Description
`anacron`	Executes commands periodically. Primarily intended for use on laptop and user desktop machines that do not run continuously.
`apmd`	(Advanced Power Management Daemon) Provides information on power management and battery status, and allows programmed response to power management events. Primarily intended for use on laptop machines.
`automount`	Manages mount points for the automatic file-system mounter. Disable this service on servers that do not require automounter functionality.
`bluetooth`	Supports the connections of Bluetooth devices. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.
`firstboot`	Configures a system when you first log in after installation. Controlled by the `/etc/rc.d/init.d/firstboot` script. `firstboot` does not run unless `RUN_FIRSTBOOT=YES` is set in `/etc/sysconfig/firstboot`. If `/etc/reconfigSys` exists or if you specify `reconfig` in the kernel boot arguments, `firstboot` runs in reconfiguration mode. Disable this service on servers following successful installation.
`gpm`	(General Purpose Mouse) Provides support for the mouse pointer in a text console.
`haldaemon`	(Hardware Abstraction Layer Daemon) Maintains a real-time database of the devices that are connected to a system. Applications can use the HAL API to discover and interact with newly attached devices. Primarily intended for use on laptop and user desktop machines to support hot-plug devices. Caution Do not disable this service. Many applications rely on this functionality.
`hidd`	(Bluetooth Human Interface Device daemon) Provides support for Bluetooth input devices such as a keyboard or mouse. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.
`irqbalance`	Distributes hardware interrupts across processors on a multiprocessor system. Disable this service on servers that do not require this functionality.
`iscsi`	Controls logging in to iSCSI targets and scanning of iSCSI devices. Disable this service on servers that do not access iSCSI devices.
`iscsid`	Implements control and management for the iSCSI protocol. Disable this service on servers that do not access iSCSI devices.
`kdump`	Allows a `kdump` kernel to be loaded into memory at boot time or a kernel dump to be saved if the system panics. Disable this service on servers that you do not use for debugging or testing.
`mcstrans`	Controls the SELinux Context Translation System service.
`mdmonitor`	Checks the status of all software RAID arrays on the system. Disable this service on servers that do not use software RAID.
`messagebus`	Broadcasts notifications of system events and other messages relating to hardware events via the system-wide D-BUS message bus. Caution Do not disable this service. Many applications rely on this functionality.
`microcode_ctl`	Runs microcode that is required for IA32 processors only. Disable this service on servers that do not have such processors.
`pcscd`	(PC/SC Smart Card Daemon) Supports communication with smart-card readers. Primarily intended for use on laptop and user desktop machines to support smart-card authentication. Disable this service on servers that do not use smart-card authentication.
`sandbox`	Sets up `/tmp`, `/var/tmp`, and home directories to be used with the pam_namespace, sandbox, and xguest application confinement utilities. Disable this service if you do not use these programs.
`setroubleshoot`	Controls the SELinux Troubleshooting service, which provides information about SELinux Access Vector Cache (AVC) denials to the sealert tool.
`smartd`	Communicates with the Self-Monitoring, Analysis and Reporting Technology (SMART) systems that are integrated into many ATA-3 and later, and SCSI-3 disk drives. SMART systems monitor disk drives to measure reliability, predict disk degradation and failure, and perform drive testing.
`xfs`	Caches fonts in memory to improve the performance of X Window System applications.

You should consider disabling the following network services if they are not used on your system:

Service	Description
`avahi-daemon`	Implements Apple's Zero configuration networking (also known as Rendezvous or Bonjour). Primarily intended for use on laptop and user desktop machines to support music and file sharing. Disable this service on servers that do not require this functionality.
`cups`	Implements the Common UNIX Printing System. Disable this service on servers that do not need to provide this functionality.
`hplip`	Implements HP Linux Imaging and Printing to support faxing, printing, and scanning operations on HP inkjet and laser printers. Disable this service on servers that do not require this functionality.
`isdn`	(Integrated Services Digital Network) Provides support for network connections over ISDN devices. Disable this service on servers that do not directly control ISDN devices.
`netfs`	Mounts and unmounts network file systems, including NCP, NFS, and SMB. Disable this service on servers that do not require this functionality.
`network`	Activates all network interfaces that are configured to start at boot time.
`NetworkManager`	Switches network connections automatically to use the best connection that is available.
`nfslock`	Implements the Network Status Monitor (NSM) used by NFS. Disable this service on servers that do not require this functionality.
`nmb`	Provides NetBIOS name services used by Samba. Disable this service and remove the `samba` package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.
`portmap`	Implements Remote Procedure Call (RPC) support for NFS. Disable this service on servers that do not require this functionality.
`rhnsd`	Queries the Unbreakable Linux Network (ULN) for updates and information.
`rpcgssd`	Used by NFS. Disable this service on servers that do not require this functionality.
`rpcidmapd`	Used by NFS. Disable this service on servers that do not require this functionality.
`smb`	Provides SMB network services used by Samba. Disable this service and remove the `samba` package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

To stop a service and prevent it from starting when you reboot the system, used the following commands:

# service service_name stop
# chkconfig service_name off

Alternatively, use the Service Configuration GUI (system-config-services) to configure services.