TUNING SERVICE & SYSCTRL

 

RedHat / Centos minimal services

I always disable most of the services witch are activated by a default Centos 5.3 instalation.

To disable them, run the following commands:

chkconfig anacron off

chkconfig apmd off

chkconfig atd off

chkconfig autofs off

chkconfig cpuspeed off

chkconfig cups off

chkconfig cups-config-daemon off

chkconfig gpm off

chkconfig isdn off

chkconfig netfs off

chkconfig nfslock off

chkconfig openibd off

chkconfig pcmcia off

chkconfig portmap off

chkconfig rawdevices off

chkconfig readahead_early off

chkconfig rpcgssd off

chkconfig rpcidmapd off

chkconfig smartd off

chkconfig xfs off

chkconfig ip6tables off

chkconfig avahi-daemon off

chkconfig firstboot off

chkconfig yum-updatesd off

chkconfig mcstrans off

chkconfig pcscd off

chkconfig bluetooth off

chkconfig hidd off

And you might consider disable this:

chkconfig sendmail off

chkconfig xinetd off

chkconfig acpid off

chkconfig microcode_ctl off

chkconfig irqbalance off

chkconfig haldaemon off

chkconfig messagebus off

chkconfig mdmonitor off

 

 

 

 

 

 

 

anacron

Is this a machine which is designed to run all the time, such as a server or a workstation which is left on at night? If so:
# yum erase anacron

The anacron subsystem is designed to provide cron functionality for machines which may be shut down during the normal times that system cron jobs run, frequently in the middle of the night. Laptops and workstations which are shut down at night should keep anacron enabled, so that standard system cron jobs will run when the machine boots.

However, on machines which do not need this additional functionality, anacron represents another piece of privileged software which could contain vulnerabilities. Therefore, it should be removed when possible to reduce system risk.

apmd – Advanced Power Management Subsystem

If the system is capable of ACPI support, or if power management is not necessary, disable this service:
# chkconfig apmd off

APM is being replaced by ACPI and should be considered deprecated. As such, it can be disabled if ACPI is sup- ported by your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version information, then APM can safely be disabled without loss of functionality.

autofs – Automounter

If the autofs service is not needed to dynamically mount NFS filesystems or removable media, disable the service:
# chkconfig autofs off

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use.

Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing /etc/ fstab rather than relying on the automounter.

avahi-daemon

The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. By default, it is enabled.

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it is particularly important to reduce the system’s vulnerability to such attacks.

Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT

By default, inbound connections to Avahi’s port are allowed. If the Avahi server is not being used, this exception should be removed from the firewall configuration. See Section 2.5.5 for more information about the Iptables firewall.

bluetooth and hidd

If the system requires no Bluetooth devices, disable this service
# chkconfig bluetooth off

If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this service:
# chkconfig hidd off

Add the following to /etc/modprobe.conf to prevent the loading of the Bluetooth module:
alias net-pf-31 off

cups and cupsd

Do you need the ability to print from this machine or to allow others to print to it? If not:
# chkconfig cups off

firstboot – Installation Helper Service

Firstboot is a daemon specific to the Red Hat installation process. It handles “one-time” configuration following successful installation of the operating system. As such, there is no reason for this service to remain enabled.

Disable firstboot by issuing the command:
# chkconfig firstboot off

gpm – Console Mouse Service

GPM is the service that controls the text console mouse pointer. (The X Windows mouse pointer is unaffected by this service.)

If mouse functionality in the console is not required, disable this service:
# chkconfig gpm off

Although it is preferable to run as few services as possible, the console mouse pointer can be useful for preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.

haldaemon – HAL Daemon

The haldaemon service provides a dynamic way of managing device interfaces. It automates device configuration
and provides an API for making devices accessible to applications through the D-Bus interface.

HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary:
# chkconfig haldaemon off

hplip – The HP Linux Imaging and Printing (HPLIP) Toolkit

The HPLIP package is an HP printing support utility that is installed and enabled in a default installation. The HPLIP package is comprised of two separate components. The first is the main HPLIP service and the second is a smaller subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides higher level printing support (such as bi-directional I/O, scanning, photo card, and toolbox functionality). HPIJS is a lower level basic printing driver that provides basic support for non-PostScript HP printers.

Since the HPIJS driver will still function without the added HPLIP service, HPLIP should be disabled unless the specific higher level functions that HPLIP provides are needed by a non-PostScript HP printer on the system.
# chkconfig hplip off

isdn – ISDN Support

The ISDN service facilitates Internet connectivity in the presence of an ISDN modem.

If an ISDN modem is not being used, disable this service:
# chkconfig isdn off

kdump – Kdump Kernel Crash Analyzer

Kdump is a new kernel crash dump analyzer. It uses kexec to boot a secondary kernel (“capture” kernel) following a system crash. The kernel dump from the system crash is loaded into the capture kernel for analysis.

Unless the system is used for kernel development or testing, disable the service:
# chkconfig kdump off

kudzu – Kudzu Hardware Probing Utility

Is there a mission-critical reason for console users to add new hardware to the system? If not:
# chkconfig kudzu off

Kudzu, Red Hat’s hardware detection program, represents an unnecessary security risk as it allows unprivileged users to perform hardware configuration without authorization. Unless this specific functionality is required, Kudzu should be disabled.

mcstrans – MCS Translation Service

Unless there is some overriding need for the convenience of category label translation, disable the MCS translation service:
# chkconfig mcstrans off

The mcstransd daemon provides the category label translation information defined in /etc/selinux/targeted/setrans.conf to client processes which request this information.
Category labelling is unlikely to be used except in sites with special requirements. Therefore, it should be disabled in order to reduce the amount of potentially vulnerable code running on the system. See Section 2.4.6 for more information about systems which use category labelling.

mdmonitor – Software RAID Monitor

The mdmonitor service is used for monitoring a software RAID (hardware RAID setups do not use this service). This service is extraneous unless software RAID is in use (which is not common).

If software RAID monitoring is not required, disable this service:
# chkconfig mdmonitor off

messagebus – D-Bus IPC Service

D-Bus is an IPC mechanism that provides a common channel for inter-process communication.

If no services which require D-Bus are in use, disable this service:
# chkconfig messagebus off

A number of default services make use of D-Bus, including X Windows, Bluetooth and Avahi. We recommends that D-Bus and all its dependencies be disabled unless there is a mission-critical need for them.

Stricter configuration of D-Bus is possible and documented in the man page dbus-daemon. D-Bus maintains two separate configuration files, located in /etc/dbus-1/, one for system-specific configuration and the other for session-specific configuration.

microcode ctl – IA32 Microcode Utility

microcode ctl is a microcode utility for use with Intel IA32 processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc)

If the system is not running an Intel IA32 processor, disable this service:
# chkconfig microcode ctl off

Disable All NFS Services if Possible (nfslock, rpcgssd, rpcidmapd, netfs)

If NFS is not needed, perform the following steps to disable NFS client daemons:
# chkconfig nfslock off
# chkconfig rpcgssd off
# chkconfig rpcidmapd off

The nfslock, rpcgssd, and rpcidmapd daemons all perform NFS client functions.

All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture.

Determine whether any network filesystems handled by netfs are mounted on this system:
# mount -t nfs,nfs4,smbfs,cifs,ncpfs

If this command returns no output, disable netfs to improve system security:
# chkconfig netfs off

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself.

pcscd – Smart Card Support

If Smart Cards are not in use on the system, disable this service:
# chkconfig pcscd off

portmap – RPC Portmapper

If:

• NFS is not needed
• The site does not rely on NIS for authentication information, and
• The machine does not run any other RPC-based service

then disable the RPC portmapper service:
# chkconfig portmap off

By design, the RPC model does not require particular services to listen on fixed ports, but instead uses a daemon, portmap, to tell prospective clients which ports to use to contact the services they are trying to reach. This model weakens system security by introducing another privileged daemon which may be directly attacked, and is unnecessary because RPC was never adopted by enough services to risk using up all the ports on a system.

Unfortunately, the portmapper is central to RPC design, so it cannot be disabled if your site is using any RPC- based services, including NFS, NIS, or any third-party or custom RPC-based program. If none of these programs are in use, however, portmap should be disabled to improve system security.

In order to get more information about whether portmap may be disabled on a given host, query the local portmapper using the command:
# rpcinfo -p

If the only services listed are portmapper and status, it is safe to disable the portmapper. If other services are listed and your site is not running NFS or NIS, investigate these services and disable them if possible.

readahead early/readahead later – Boot Caching

The following services provide one-time caching of files belonging to some boot services, with the goal of allowing the system to boot faster.

It is recommended that this service be disabled on most machines:
# chkconfig readahead early off
# chkconfig readahead later off

The readahead services do not substantially increase a system’s risk exposure, but they also do not provide great benefit. Unless the system is running a specialized application for which the file caching substantially improves system boot time, this guide recommends disabling the services.

rhnsd

The rhnsd daemon polls the Red Hat Network web site for scheduled actions. Unless it is actually necessary to schedule updates remotely through the RHN website, it is recommended that the service be disabled.
# chkconfig rhnsd off

The rhnsd daemon is enabled by default, but until the system has been registered with the Red Hat Network, it will not run. However, once the registration process is complete, the rhnsd daemon will run in the background and periodically call the rhn check utility. It is the rhn check utility that communicates with the Red Hat Network web site.

This utility is not required for the system to be able to access and install system updates. Once the system has been registered, either use the provided yum-updatesd service or create a cron job to automatically apply updates.

setroubleshoot

Is there a mission-critical reason to allow users to view SELinux denial information using the sealert GUI? If not, disable the service and remove the RPM:
# chkconfig setroubleshoot off
# yum erase setroubleshoot

The setroubleshoot service is a facility for notifying the desktop user of SELinux denials in a user-friendly fashion. SELinux errors may provide important information about intrusion attempts in progress, or may give information about SELinux configuration problems which are preventing correct system operation. In order to maintain a secure and usable SELinux installation, error logging and notification is necessary.

However, setroubleshoot is a service which has complex functionality, which runs a daemon and uses IPC to distribute information which may be sensitive, or even to allow users to modify SELinux settings, and which does not yet implement real authentication mechanisms. This guide recommends disabling setroubleshoot and using the kernel audit functionality to monitor SELinux’s behavior.

In addition, since setroubleshoot automatically runs client-side code whenever a denial occurs, regardless of whether the setroubleshootd daemon is running, it is recommended that the program be removed entirely unless it is needed.

xfs – X Font Server

Disable the xfs helper service:
# chkconfig xfs off

The system’s X.org requires the X Font Server service (xfs) to function. The xfs service will be started auto- matically if X.org is activated via startx. Therefore, it is safe to prevent xfs from starting at boot when X is disabled, even if users are allowed to run X manually.

yum-updatesd

Disable the yum-updatesd service:
# chkconfig yum-updatesd off

Create the file yum.cron, make it executable, and place it in /etc/cron.daily:
#!/bin/sh
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e 0 -d 0 -y update

This particular script instructs yum to update any packages it finds. Placing the script in /etc/cron.daily ensures its daily execution. To only apply updates once a week, place the script in /etc/cron.weekly instead.

 

# Kernel tuning settings for CentOS5,

# busy webserver with lots of free memory.

 

# Big queue for the network device

net.core.netdev_max_backlog=30000

 

# Lots of local ports for connections

net.ipv4.tcp_max_tw_buckets=2000000

 

# Bump up send/receive buffer sizes

net.core.rmem_default=262141

net.core.wmem_default=262141

net.core.rmem_max=262141

net.core.wmem_max=262141

 

# Disable TCP selective acknowledgements

net.ipv4.tcp_sack=0

net.ipv4.tcp_dsack=0

 

# Decrease the amount of time we spend

# trying to maintain connections

net.ipv4.tcp_retries2=5

net.ipv4.tcp_fin_timeout=60

net.ipv4.tcp_keepalive_time=120

net.ipv4.tcp_keepalive_intvl=30

net.ipv4.tcp_keepalive_probes=3

 

# Increase the number of incoming connections

# that can queue up before dropping

net.core.somaxconn=256

 

# Increase option memory buffers

net.core.optmem_max=20480

There are plenty of other sysctl options to tune, but the above made the most difference.

And netstat -s is your friend.