[Gllug] Core Services

Daniel P. Berrange dan at berrange.com
Tue Aug 19 08:40:20 UTC 2008 

My personal recommendations would be ....

On Tue, Aug 19, 2008 at 08:46:42AM +0100, Stephen Nelson-Smith wrote:
> Redhat ships with a vast number of services switched on, out of the
> box, even with a very basic install:
> 
> 
> # chkconfig --list | grep 3:on
> acpid          	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Keep. Needed to process ACPI events

> anacron        	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. Catches up on missed crontabs.

> atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable if you don't use 'at'

> auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. Logs SELinux AVC denials.

> autofs         	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable  if you don't need auto-mounting of NFS dirs

> avahi-daemon   	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable if you don't care about zero-conf discovery in GNOME

> bnx2id         	0:off	1:off	2:off	3:on	4:on	5:on	6:off

No clue what this is

> crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. There's various daily cron jobs you should be running

> dkms_autoinstaller	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Eeeewww. Kill !

> fusion.mptctl  	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Not sure what this is - think its hardware specific

> haldaemon      	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Keep. Soo much depends on this

> hidd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Not sure what this is

> httpd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Disable if you don't need web serving. Better yet, uninstall

> iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. Everyone should have firwalls, right :-)

> irqbalance     	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Open for debate, some people like it, some don't

> libvirtd       	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable unless you want to use Xen virtualization

> lvm2-monitor   	0:off	1:on	2:on	3:on	4:on	5:on	6:off

This is a new one for me - not sure what that does

> mcstrans       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

SELinux Multi-Category System. You probably don't need it

> mdmonitor      	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Monitors MD devices. Disable if you don't have any of these

> messagebus     	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Keep. Needed for haldaemon and other DBus apps

> netfs          	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable unless you need to use NFS filesystems

> network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. Gives you networking :-)

> nfslock        	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable unless you need to use NFS filesystems

> pcscd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Disable unless you use Smart Cards

> portmap        	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable unless you need to use NFS filesystems

> readahead_early	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Disable. No concrete proof that this improves performance. Often worsens it

> rhn-virtualization-host	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Disable unless this is a Xen host connected to RHN

> rhnsd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. Communicates with RHN

> rpcgssd        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
> rpcidmapd      	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Both something tood with NFS4 auth. Can probably disable unless you know you need it

> smartd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Monitors disks for SMART errors.

> sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep gives you remote access

> syslog         	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Keep. Logs system messages

> yum-updatesd   	0:off	1:off	2:off	3:on	4:on	5:on	6:off

Disable unless you run a GNOME desktop with the yum update applet

> I have my own theories, but I'm Just curious to know, for a base build
> which ones other people turn off.  I'm writing a little how-to for
> someone else to follow on hardening the base install, so other ideas
> and experiences would be welcome.  My own recent experience with a few
> hosting companies is "none at all - we're behind a firewall"....

Basically turn off everything unless you know you need it :-) At the very
least you'll cut your startup time in 1/2. You should also uninstall any
software you don't need - eg apache, virtualziation

Daniel
-- 
|: http://berrange.com/     -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/    -o-   http://gtk-vnc.sourceforge.net :|
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list