This is the eighth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.
In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh, in Part 5 we enabled system accounting, in Part 6 we minimized network services and in Part 7 we configured the firewall. In this post we minimize boot services.
A Word of Caution
The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:
- Backing up the server
- Reviewing the content of all scripts before running them
- Testing the actions on a non-production server
The hardening steps in these posts were performed in the order posted. Performing these steps in a different order my result in unpredictable behavior. Also, all these scripts MUST be run as root, not as sudo.
User Defined Services
The following services are referred to as User Defined by CIS. This means they should only be started if they are critical to fulfilling the mission of the server.
| User Defined Services |
|---|
| acpid - The daemon for the Advanced Configuration and Power Interface (ACPI). |
| ip6tables - Used to implement IP Filters when the server is configured for IPv6 network connectivity. If using IPv4, then disable this service and enable iptables. |
| anacron- anacron is a command scheduler similar to cron; however, unlike cron, it does not assume that the system is continuously up. Run anacron only on systems that are not up 24x7. anacron was specifically developed for laptops or servers that are brought down at non-peak hours. |
| apmd - The daemon for Advanced Power Management (APM), generally only used on laptops. |
| irqbalance - Used to distribute interrupts over the system's processors/cores. Optional for single processor/single core servers. |
| iscsi - Only required if the system uses SCSI devices (typically, storage arrays). |
| iscsid - Only required if the system uses SCSI devices (typically, storage arrays). |
| lmsensors - Linux monitoring sensors, an open-source tool for hardware monitoring. |
| lvm2-monitor - An application that monitors your LVM (Logical Volume Management) system. If you manually partition drives than this service can be disabled. |
| mcstrans - A translation daemon used with SELinux to translate SELinux categories to user-defined categories. |
| mdmonitor - Part of the mdadm package for administering software RAID configurations, mdmonitor monitors the health of the RAID configuration. |
| microcode_ctl - A utility for the IA32 processor (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4 etc) microcode driver. |
| network - Technically user defined, but in practice nearly always required. |
| readahead_early - A hard disk read cache. |
| readahead_later - A hard disk read cache. |
| restorecond - An SELinux daemon that monitors file creation and sets the default SELinux context. Required if running SELinux. |
| rhnsd - A daemon that periodically queries the Red Hat network for updates. |
| sendmail - A mail transfer agent (MTA). |
| smartd- The SMART disk monitoring daemon. SMART is the Self-Monitoring And Reporting Technology built into many ATA, SCSI and IDE drives. |
Boot Services
The following tables shows the state of all boot services after a minimal install of OEL as described in these posts. The CIS column shows the CIS recommended state for the service.
Notes:
- An N/A in the State columns indicates the service is not installed when using the minimal install procedures described in these posts.
- An N/A in the CIS column indicates that CIS has not made a recommendation with regards to this service.
|
Service |
State After Minimal Install Described in this Post |
CIS |
Disabled by CIS Script |
Disabled by SecureDBA Script |
||||||
|
NetworkManager |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
NetworkManagerDispatcher |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
on |
no |
no |
|
acpid |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yesi |
|
amd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
anacron |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yes[i] |
|
apmd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
UD |
yes |
yesi |
|
arptables_if |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
arpwatch |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
atd |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
auditd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
|
autofs |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
avahi-daemon |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
avahi-dnsconfd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
bgpd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
bluetooth |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
bootparamd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
capi |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
conman |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
cpuspeed |
0:off |
1:on |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
no |
yes[ii] |
|
crond |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
|
cups |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
cyrus-imapd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dc_client |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dc_server |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dhcdbd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dhcp6s |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dhcpd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dhcrelay |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dovecot |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
dnsmasq |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
N/A |
no |
yes[iii] |
|
dund |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
firstboot |
0:off |
1:off |
2:off |
3:on |
4:off |
5:on |
6:off |
on |
yes |
yes[iv] |
|
gpm |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
haldaemon |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
hidd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
hplip |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
httpd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
ibmasm |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
innd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
no |
yesii |
|
ip6tables |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yesi |
|
ipmi |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
iptables |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
noi |
|
irda |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
irqbalance |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
no |
noi |
|
iscsi |
v |
v |
v |
v |
v |
v |
UD |
yes |
yesi |
|
|
iscsid |
v |
v |
v |
v |
v |
v |
v |
UD |
yes |
yesi |
|
isdn |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
kadmin |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
kdump |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
kprop |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
krb524 |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
krb5kdc |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
kudzu |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
ldap |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
lisa |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
lm_sensors |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
UD |
yes |
yes |
|
lvm2-monitor |
0:off |
1:on |
2:on |
3:on |
4:on |
5:on |
6:off |
N/A |
no |
noi,[vi] |
|
mailman |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
mcstrans |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
noi,[vii] |
|
mdmonitor |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yesi |
|
mdmpd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
messagebus |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
|
microcode_ctl |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
UD |
yes |
yesi |
|
multipathd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
mysqld |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
named |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
netconsole |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
N/A |
no |
yesiii |
|
netfs |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
netplugd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
network |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
no |
noi |
|
nfs |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
nfslock |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
nscd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
ntpd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
on |
yes |
no[viii] |
|
openibd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
ospf6d |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
ospfd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
pand |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
pcscd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
portmap |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
postfix |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
no |
yesii |
|
postgresql |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
privoxy |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
psacct |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
radiusd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
no |
yesii |
|
radvd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
rarpd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
rawdevices |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
N/A |
no |
yesii |
|
rdisc |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
readahead_early |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yesi |
|
readahead_later |
0:off |
1:off |
2:off |
3:off |
4:off |
5:on |
6:off |
UD |
yes |
yesi |
|
restorecond |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
|
rhnsd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yesi |
|
ripd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
ripngd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
rpcgssd |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
rpcidmapd |
0:off |
1:off |
2:off |
3:on |
4:on |
5:on |
6:off |
off |
yes |
yes |
|
rpcsvcgssd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
rstatd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
rusersd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
rwhod |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
saslauthd |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
sendmail |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
no |
noi,xi |
|
setoubleshoot |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
smartd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
UD |
yes |
yes |
|
smb |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
snmpd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
snmptrapd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
spamassassin |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
squid |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
sshd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
|
No |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
|
sysstat |
0:off |
1:off |
2:on |
3:on |
4:off |
5:on |
6:off |
on |
no |
no |
|
tog-pegasus |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
tomcat5 |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
tux |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
vncserver |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
no |
yesii |
|
vsftpd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
no |
yesii |
|
winbind |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
wine |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
yes |
yes[ix] |
|
wpa_supplicant |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
xend |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
xendomains |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
xfs |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
off |
no |
yes[x] |
|
xinetd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
no |
no[xi] |
|
ypbind |
0:off |
1:off |
2:off |
3:off |
4:off |
5:off |
6:off |
off |
yes |
yes |
|
yppasswdd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
ypserv |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
ypxfrd |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
off |
yes |
yes |
|
yum-updatesd |
0:off |
1:off |
2:on |
3:on |
4:on |
5:on |
6:off |
on |
no |
no |
[i] See note in User Defined Services table above.
[ii] It is not clear why CIS recommends that this service be disabled but then does not disable it in their script. The SecureDBA version of the script disables the service.
[iii] It is unclear why CIS does not address this service. It should be disabled and the SecureDBA version of the script does so.
[iv] It is unclear why CIS says this service should be enabled but then disables it in their script. We presume this is because the service is no longer needed after the initial boot.
[v] This service should only be installed if the system uses SCSI devices, typically storage arrays.
[vi] It is unclear why CIS does not address this service. lvm2-monitor is an application that monitors your LVM (Logical Volume Management) system. If you manually partition drives than this service can be disabled.
[vii] Though User Defined, should be enabled on a secure OEL install as SELinux is enabled by default.
[viii] It is unclear why CIS recommends this service be on and then disables it in the script. The SecureDBA version of the script does not disable this service.
[ix] It is unclear why CIS does not address this service but then correctly recommends disabling it.
[x] CIS handles this service separately. The SecureDBA version of the script disables this service.
[xi] This service is handled separately below and not disabled by this script.
Secure umask
As with Red Hat, the default umask of the OEL server is set to 022 and should be at least 027. If you run services that require a less restrictive mask, then modify their startup scripts to set the umask appropriately.
Download the following script to secure the umask and run as root:
Download cis_script6_umask.sh (0.3K)
If possible, disable xinetd
If you performed a minimal install of OEL as per these posts, then the xinetd service is not installed as per the above table and no further action is needed.
Otherwise run the following command to see if xinetd is configured to start:
chkconfig --list xinetd
If it is not, then no further action is needed.
If it is, then you'll need to check if there are any remaining services enabled by xinetd. Remember, we disabled many xinetd services in Part 6. Take the following steps to make this determination:
- cd /etc/xinetd.d
- For each service listed here, run chkconfig --list <service_name>
If any are enabled, then you need to determine if these services are required. If they are not simply run the following for each service:
chkconfig --level <service_name> off
If all the services have been disabled, then you can disable xnetd by running the following:
chkconfig --level xinetd
chkconfig -- level 12345 xinetd off
chkconfig --level xinetd
Secure sendmail
The CIS baseline does not provide hardening information for email servers. If the OEL server is acting as an email server, CIS recommends researching other documentation for assistance is securing the email server.
If not an email server, then make sure that the sendmail daemon is only listening on local host. This is called local-only mode and is the default configuration if OEL was installed according to these posts.
To check, run:
grep MTA /etc/mail/sendmail.cf | grep "Addr=127.0.0.1, " | wc -l
This should return 1 because MTA should only be bound to localhost based on the following entry:
O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
Other MTA entries should be commented out if found.
Further, sendmail should be disabled and configured not to run as a daemon by downloading and running the following script as root: (Note that the email server need not be running to send outgoing mail.)
Download cis_script7_sendmail.sh (0.4K)
Disable GUI Login
If you have performed a minimal install according to these posts, then the GUI login has already been disabled. This is controlled by the run level specified in /etc/inittab.
Specifically, run level 3 (desired) is specified by the following line in /etc/inittab:
id:3:initdefault:
Run level 5 (GUI) is specified by the following line in /etc/inittab:
id:5:initdefault:
Download the following script and run as root to set a default run level of 3 and set the proper permissions on /etc/inittab:
Download cis_script8_run_level.sh (0.4K)
Disable Appropriate Boot Services
Run the following command to determine the boot state of services on the target server:
chkconfig --list
Compare the output to the table above. Pay particular attention to services that are recommended to be off that are on. Determine which services you can safely turn off for your particular environment.
Download the following script for disabling boot services:
Download cis_script9_boot_services.sh (3.9K)
Modify the script as needed to remove services that the OEL server requires and possibly add additional services that can be disabled. Then run the script as root.
