The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Restrict services to only those that a server requires. The default installation for an Oracle Linux server configures a minimal set of services:
cupsd
and lpd
(print
services)
sendmail
(email delivery service)
sshd
(openSSH services)
If possible, configure one type of service per physical machine, virtual machine, or Linux Container. This technique limits exposure if a system is compromised.
If a service is not used, remove the software packages that are associated with the service. If it is not possible to remove a service because of software dependencies, use the chkconfig and service commands to disable the service.
For services that are in use, apply the latest Oracle support
patches and security updates to keep software packages up to
date. To protect against unauthorized changes, ensure that the
/etc/services
file is owned by
root
and writable only by
root
.
# ls -Z /etc/services
-rw-r--r--. root root system_u:object_r:etc_t:SystemLow /etc/services
Unless specifically stated otherwise, consider disabling the services in the following table if they are not used on your system:
Service | Description |
---|---|
| Executes commands periodically. Primarily intended for use on laptop and user desktop machines that do not run continuously. |
| (Advanced Power Management Daemon) Provides information on power management and battery status, and allows programmed response to power management events. Primarily intended for use on laptop machines. |
| Manages mount points for the automatic file-system mounter. Disable this service on servers that do not require automounter functionality. |
| Supports the connections of Bluetooth devices. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality. |
|
Configures a system when you first log in after
installation. Controlled by the
|
| (General Purpose Mouse) Provides support for the mouse pointer in a text console. |
| (Hardware Abstraction Layer Daemon) Maintains a real-time database of the devices that are connected to a system. Applications can use the HAL API to discover and interact with newly attached devices. Primarily intended for use on laptop and user desktop machines to support hot-plug devices. Caution Do not disable this service. Many applications rely on this functionality. |
| (Bluetooth Human Interface Device daemon) Provides support for Bluetooth input devices such as a keyboard or mouse. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality. |
| Distributes hardware interrupts across processors on a multiprocessor system. Disable this service on servers that do not require this functionality. |
| Controls logging in to iSCSI targets and scanning of iSCSI devices. Disable this service on servers that do not access iSCSI devices. |
| Implements control and management for the iSCSI protocol. Disable this service on servers that do not access iSCSI devices. |
|
Allows a |
| Controls the SELinux Context Translation System service. |
| Checks the status of all software RAID arrays on the system. Disable this service on servers that do not use software RAID. |
| Broadcasts notifications of system events and other messages relating to hardware events via the system-wide D-BUS message bus. Caution Do not disable this service. Many applications rely on this functionality. |
| Runs microcode that is required for IA32 processors only. Disable this service on servers that do not have such processors. |
| (PC/SC Smart Card Daemon) Supports communication with smart-card readers. Primarily intended for use on laptop and user desktop machines to support smart-card authentication. Disable this service on servers that do not use smart-card authentication. |
|
Sets up |
| Controls the SELinux Troubleshooting service, which provides information about SELinux Access Vector Cache (AVC) denials to the sealert tool. |
| Communicates with the Self-Monitoring, Analysis and Reporting Technology (SMART) systems that are integrated into many ATA-3 and later, and SCSI-3 disk drives. SMART systems monitor disk drives to measure reliability, predict disk degradation and failure, and perform drive testing. |
| Caches fonts in memory to improve the performance of X Window System applications. |
You should consider disabling the following network services if they are not used on your system:
Service | Description |
---|---|
| Implements Apple's Zero configuration networking (also known as Rendezvous or Bonjour). Primarily intended for use on laptop and user desktop machines to support music and file sharing. Disable this service on servers that do not require this functionality. |
| Implements the Common UNIX Printing System. Disable this service on servers that do not need to provide this functionality. |
| Implements HP Linux Imaging and Printing to support faxing, printing, and scanning operations on HP inkjet and laser printers. Disable this service on servers that do not require this functionality. |
| (Integrated Services Digital Network) Provides support for network connections over ISDN devices. Disable this service on servers that do not directly control ISDN devices. |
| Mounts and unmounts network file systems, including NCP, NFS, and SMB. Disable this service on servers that do not require this functionality. |
| Activates all network interfaces that are configured to start at boot time. |
| Switches network connections automatically to use the best connection that is available. |
| Implements the Network Status Monitor (NSM) used by NFS. Disable this service on servers that do not require this functionality. |
|
Provides NetBIOS name services used by Samba.
Disable this service and remove the
|
| Implements Remote Procedure Call (RPC) support for NFS. Disable this service on servers that do not require this functionality. |
| Queries the Unbreakable Linux Network (ULN) for updates and information. |
| Used by NFS. Disable this service on servers that do not require this functionality. |
| Used by NFS. Disable this service on servers that do not require this functionality. |
|
Provides SMB network services used by Samba. Disable
this service and remove the |
To stop a service and prevent it from starting when you reboot the system, used the following commands:
#service
#service_name
stopchkconfig
service_name
off
Alternatively, use the Service Configuration GUI (system-config-services) to configure services.