S 5.72 Deactivation of unnecessary network services

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

To disable any network services on a Unix system which are not actually required, the procedure described below should be adopted.

Under Unix there are two ways of starting network services, via the server service inetd, which is configured in file /etc/inetd.conf, and via the start-up files, which are held in /etc/rc.d/init.d or /etc/init.d. To disable services which are not required in the /etc/inetd.conf file, the relevant line should be commented out using a #. With a standard installation, generally more services are configured than are actually necessary. Among these, services will often be included which could constitute a risk. Therefore as few services as possible should be enabled, i.e. only those services which are really necessary on the system concerned (see also S 4.95 Minimal operating system and S 4.97 One service per server).

The services which are initiated by the start-up files are referenced via links from the subdirectories /etc/rcX.d and /etc/rc.d/rcX.d, where X stands for the Unix run level in which the start-up file is called. To deactivate the services which are not required, these can be moved to a subdirectory from where they can be reactivated if subsequently needed. This could be achieved, for example, as follows:

cd rc3.d; mkdir .s; mv S85sendmail .s/

The command netstat -a can be used to see which services are currently active.

Additional controls:

• Have the changes to the start-up files been documented?

• Who is allowed to add services on a Unix system?

• Is a check performed with netstat -a after every update of application programs and operating system components as to which services are available on the network connection?