| Deployment GuidePart IV. Infrastructure ServicesThis part provides information how to configure services and daemons, configure authentication, and enable remote logins. Chapter 10. Services and DaemonsMaintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, httpd if you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits. This chapter explains the concept of runlevels, and describes how to set the default one. It also covers the setup of the services to be run in each of these runlevels, and provides information on how to start, stop, and restart the services on the command line using the service command. When you allow access for new services, always remember that both the firewall and SELinux need to be configured as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the necessary firewall configuration and SELinux policies to allow access for it. For more information, refer to the Red Hat Enterprise Linux 6 Security Guide. 10.1. Configuring the Default RunlevelA runlevel is a state, or mode, defined by services that are meant to be run when this runlevel is selected. Seven numbered runlevels exist (indexed from 0): Table 10.1. Runlevels in Red Hat Enterprise Linux Runlevel | Description |
---|
0 | Used to halt the system. This runlevel is reserved and cannot be changed. | 1 | Used to run in a single-user mode. This runlevel is reserved and cannot be changed. | 2 | Not used by default. You are free to define it yourself. | 3 | Used to run in a full multi-user mode with a command line user interface. | 4 | Not used by default. You are free to define it yourself. | 5 | Used to run in a full multi-user mode with a graphical user interface. | 6 | Used to reboot the system. This runlevel is reserved and cannot be changed. |
To check in which runlevel you are operating, type the following: ~]$ runlevel N 5 The runlevel command displays previous and current runlevel. In this case it is number 5, which means the system is running in a full multi-user mode with a graphical user interface. The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near the end of the file similar to the following: id:5:initdefault: To do so, edit this file as root and change the number on this line to the desired value. The change will take effect the next time you reboot the system. 10.2. Configuring the ServicesTo allow you to configure which services are started at boot time, Red Hat Enterprise Linux is shipped with the following utilities: the Service Configuration graphical application, the ntsysv text user interface, and the chkconfig command line tool. To ensure optimal performance on POWER architecture, it is recommended that the irqbalance service is enabled. In most cases, this service is installed and configured to run during the Red Hat Enterprise Linux 6 installation. To verify that irqbalance is running, as root , type the following at a shell prompt: ~]# service irqbalance status irqbalance (pid 1234) is running... 10.2.1. Using the Service Configuration UtilityThe Service Configuration utility is a graphical application developed by Red Hat to configure which services are started in a particular runlevel, as well as to start, stop, and restart them from the menu. To start the utility, select ⤍ ⤍ from the panel, or type the command system-config-services at a shell prompt. The utility displays the list of all available services (services from the /etc/rc.d/init.d/ directory, as well as services controlled by xinetd) along with their description and the current status. For a complete list of used icons and an explanation of their meaning, see Table 10.2, "Possible service states". Note that unless you are already authenticated, you will be prompted to enter the superuser password the first time you make a change. 10.2.1.1. Enabling and Disabling a ServiceTo enable a service, select it from the list and either click the Enable button on the toolbar, or choose ⤍ from the main menu. To disable a service, select it from the list and either click the Disable button on the toolbar, or choose ⤍ from the main menu. 10.2.1.2. Starting, Restarting, and Stopping a ServiceTo start a service, select it from the list and either click the Start button on the toolbar, or choose ⤍ from the main menu. Note that this option is not available for services controlled by xinetd, as they are started by it on demand. To restart a running service, select it from the list and either click the Restart button on the toolbar, or choose ⤍ from the main menu. Note that this option is not available for services controlled by xinetd, as they are started and stopped by it automatically. To stop a service, select it from the list and either click the Stop button on the toolbar, or choose ⤍ from the main menu. Note that this option is not available for services controlled by xinetd, as they are stopped by it when their job is finished. 10.2.1.3. Selecting RunlevelsTo enable the service for certain runlevels only, select it from the list and either click the Customize button on the toolbar, or choose ⤍ from the main menu. Then select the checkbox beside each runlevel in which you want the service to run. Note that this option is not available for services controlled by xinetd. 10.2.2. Using the ntsysv UtilityThe ntsysv utility is a command line application with a simple text user interface to configure which services are to be started in selected runlevels. To start the utility, type ntsysv at a shell prompt as root . The utility displays the list of available services (the services from the /etc/rc.d/init.d/ directory) along with their current status and a description obtainable by pressing F1. For a list of used symbols and an explanation of their meaning, see Table 10.3, "Possible service states". Table 10.3. Possible service states Symbol | Description |
---|
[*] | The service is enabled. | [ ] | The service is disabled. |
10.2.2.1. Enabling and Disabling a ServiceTo enable a service, navigate through the list using the Up and Down arrows keys, and select it with the Spacebar. An asterisk (*) appears in the brackets. To disable a service, navigate through the list using the Up and Down arrows keys, and toggle its status with the Spacebar. An asterisk (*) in the brackets disappears. Once you are done, use the Tab key to navigate to the Ok button, and confirm the changes by pressing Enter. Keep in mind that ntsysv does not actually start or stop the service. If you need to start or stop the service immediately, use the service command as described in Section 10.3.2, "Starting a Service". 10.2.2.2. Selecting RunlevelsBy default, the ntsysv utility only affects the current runlevel. To enable or disable services for other runlevels, as root , run the command with the additional --level option followed by numbers from 0 to 6 representing each runlevel you want to configure: ntsysv --level runlevels
For example, to configure runlevels 3 and 5, type: ~]# ntsysv --level 35 10.2.3. Using the chkconfig UtilityThe chkconfig utility is a command line tool that allows you to specify in which runlevel to start a selected service, as well as to list all available services along with their current setting. Note that with the exception of listing, you must have superuser privileges to use this command. 10.2.3.1. Listing the ServicesTo display a list of system services (services from the /etc/rc.d/init.d/ directory, as well as the services controlled by xinetd), either type chkconfig --list , or use chkconfig with no additional arguments. You will be presented with an output similar to the following: ~]# chkconfig --list NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:offabrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:offacpid 0:off 1:off 2:on 3:on 4:on 5:on 6:offanamon 0:off 1:off 2:off 3:off 4:off 5:off 6:offatd 0:off 1:off 2:off 3:on 4:on 5:on 6:offauditd 0:off 1:off 2:on 3:on 4:on 5:on 6:offavahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off... several lines omitted ...wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:offxinetd based services: chargen-dgram: off chargen-stream: off cvs: off daytime-dgram: off daytime-stream: off discard-dgram: off... several lines omitted ... time-stream: off Each line consists of the name of the service followed by its status (on or off) for each of the seven numbered runlevels. For example, in the listing above, NetworkManager is enabled in runlevel 2, 3, 4, and 5, while abrtd runs in runlevel 3 and 5. The xinetd based services are listed at the end, being either on, or off. To display the current settings for a selected service only, use chkconfig --list followed by the name of the service: chkconfig --list service_name
For example, to display the current settings for the sshd service, type: ~]# chkconfig --list sshd sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off You can also use this command to display the status of a service that is managed by xinetd. In that case, the output will only contain the information whether the service is enabled or disabled: ~]# chkconfig --list rsync rsync off 10.2.3.2. Enabling a ServiceTo enable a service in runlevels 2, 3, 4, and 5, type the following at a shell prompt as root : chkconfig service_name on
For example, to enable the httpd service in these four runlevels, type: ~]# chkconfig httpd on To enable a service in certain runlevels only, add the --level option followed by numbers from 0 to 6 representing each runlevel in which you want the service to run: chkconfig service_name on --level runlevels
For instance, to enable the abrtd service in runlevels 3 and 5, type: ~]# chkconfig abrtd on --level 35 The service will be started the next time you enter one of these runlevels. If you need to start the service immediately, use the service command as described in Section 10.3.2, "Starting a Service". Do not use the --level option when working with a service that is managed by xinetd , as it is not supported. For example, to enable the rsync service, type: ~]# chkconfig rsync on If the xinetd daemon is running, the service is immediately enabled without having to manually restart the daemon. 10.2.3.3. Disabling a ServiceTo disable a service in runlevels 2, 3, 4, and 5, type the following at a shell prompt as root : chkconfig service_name off
For instance, to disable the httpd service in these four runlevels, type: ~]# chkconfig httpd off To disable a service in certain runlevels only, add the --level option followed by numbers from 0 to 6 representing each runlevel in which you do not want the service to run: chkconfig service_name off --level runlevels
For instance, to disable the abrtd in runlevels 2 and 4, type: ~]# chkconfig abrtd off --level 24 The service will be stopped the next time you enter one of these runlevels. If you need to stop the service immediately, use the service command as described in Section 10.3.3, "Stopping a Service". Do not use the --level option when working with a service that is managed by xinetd , as it is not supported. For example, to disable the rsync service, type: ~]# chkconfig rsync off If the xinetd daemon is running, the service is immediately disabled without having to manually restart the daemon. The service utility allows you to start, stop, or restart the services from the /etc/init.d/ directory. 10.3.1. Determining the Service StatusTo determine the current status of a service, type the following at a shell prompt: service service_name status
For example, to determine the status of the httpd service, type: ~]# service httpd status httpd (pid 7474) is running... To display the status of all available services at once, run the service command with the --status-all option: ~]# service --status-all abrt (pid 1492) is running...acpid (pid 1305) is running...atd (pid 1540) is running...auditd (pid 1103) is running...automount (pid 1315) is running...Avahi daemon is runningcpuspeed is stopped... several lines omitted ...wpa_supplicant (pid 1227) is running... 10.3.2. Starting a ServiceTo start a service, type the following at a shell prompt as root : service service_name start
For example, to start the httpd service, type: ~]# service httpd start Starting httpd: [ OK ] 10.3.3. Stopping a ServiceTo stop a running service, type the following at a shell prompt as root : service service_name stop
For example, to stop the httpd service, type: ~]# service httpd stop Stopping httpd: [ OK ] 10.3.4. Restarting a ServiceTo restart the service, type the following at a shell prompt as root : service service_name restart
For example, to restart the httpd service, type: ~]# service httpd restart Stopping httpd: [ OK ]Starting httpd: [ OK ] 10.4. Additional Resources10.4.1. Installed Documentationchkconfig(8) - a manual page for the chkconfig utility. ntsysv(8) - a manual page for the ntsysv utility. service(8) - a manual page for the service utility. system-config-services(8) - a manual page for the system-config-services utility.
- Red Hat Enterprise Linux 6 Security Guide
A guide to securing Red Hat Enterprise Linux 6. It contains valuable information on how to set up the firewall, as well as the configuration of SELinux.
|
| |