In this lesson, I will discuss Linux and its services. In this lesson, I will discuss Linux services. Linux services are usually started up on startup to run some kind of process on the system. Software or services that are not used should be able to decrease the attack surface of the system. As with any operating system installation, the system is already installed with general packages that may or may not be used. One example of this is Bluetooth. Do you necessarily need Bluetooth on a server? I've never seen Bluetooth used on a server, so that is definitely one that we can disable. Let's look at Linux services. And this is my CentOS system. This is gonna be different from Ubuntu and different from some of the other versions, however, mainstream, in enterprises, we tend to use CentOS as I mentioned in previous lessons. In order to see what services we have in startup, we're gonna type in chkconfig. We have netconsole, network, and splunk. These are different runlevels here. So we have runlevels zero through six. And you'll notice that zero and one are off, and then we have turned on for just the network portion, runlevels two through five. Now, I added splunk just to show you what it would look like if that service were running on the server, but I've since turned it off now. If I had turned that back on, which I can do real quick, and then I'll type in chkconfig splunk on. OK, and let's look at that first command again – I just type in "chkconfig". And notice` that my runlevels again, now they're turned on from two to five. And let's turn that off again, so chkconfig splunk off. And I can do this with other services as well. However, not many services come with chkconfig turned on. In order to see what else is running in the system, by the system account, we're gonna type in systemctl. Systemctl gives us what services are currently loaded and running in the kernel, so things like kernel processes. Here's one for printing down below. CUPS is a standard printing service that we may want to disable. Let's look at other things. So Bluetooth, for example, we don't need Bluetooth. These are all... quite a few of these are services that need to be disabled to make sure that we decrease the attack surface of a system. So in order to do that, we're gonna disable a couple services here. Notice that there's 152 processes running. So I'm gonna type in systemctl and type in status. Let's look at Bluetooth. So here's our Bluetooth, looks like it's active. And if we type in systemctl status and then the service, we can get a lot more information about what's running in the kernel. So let's turn this off – systemctl bluetooth. Oops. Let's type in systemctl disable bluetooth. Now let's look to see if it's running. We're gonna type in status again. It's disabled but it's still running, so we would have to kill that process. So what I did there is I typed in pkill bluetooth, which means process kill, and then the process name which is bluetooth. And now notice that it's inactive. So, it's dead. So I've just turned off Bluetooth, which is probably a good thing for my attack surface. OK, let's briefly look at a couple more here. And we'll type in "systemctl" again. As we go through here, it looks like our splunk services failed, which is fine because I turned that off. But we can see what's active and what's running, what's inactive. Now on some servers, especially this server, the server's running a GUI so I can show you what the command line looks like and some of the other processes very easily. Typically, on an enterprise server, you're not gonna have a GUI. Again, it's just another way to increase the attack surface, and it also increases the amount of memory. We need to disable that. The GUI is, in Linux, is called X server. So, we may want to remove the X Window System from our server. So we would type in yum groupremove and then, in quotes, X Window System. That'll just disable that. There are things that we should disable are things that we're not gonna use, things like IPv6. If you don't use IPv6, you should definitely turn that off. The reason why is it's, again, another attack surface. It's a big attack surface if you're not using it. One of the other functions that we're gonna look at, one of the other commands is finding permissions that may be turned on. Some processes need to run with elevated privileges. So think about how you change your passwords, so passwd for example. I'm root here but technically that's a root-only process. So in order for a normal user to access or run passwd or some of the other functions which we'll see here in a second, we need to turn on what we call sticky bits, and that allows the process to run as the system account or root. So what I'm gonna do is I'm gonna look for those processes that have sticky bits turned on for both the process running as a root or the group root. So in order to do that, I'm gonna type in "find" and where to find it. And let's look at the permissions, so that, and then put a forward slash, parenthesis, then the permission -perm -4000 -o -perm -2000, and then we'll print that out. And as you notice, all these commands that have our sticky bits turned on. So su or password, group password, sudo, these are processes that you run all the time. And the reason why we have the sticky bit turned on is so that we can run them as root, as a normal user. So you should consider disabling some of those. So in order to change or remove the sticky bits, we're gonna type in chmod -s and then the filename. So if we wanted to disable locate, for example, which we're not gonna do but let's say that we wanted to do that, we're just gonna type in chmod -s and then usr, sbin, and locate. There are some other processes that you may want to consider disabling as well and have been known to be not harmful to disable to the system. Now, I'll post those as part of your reading for this week. In conclusion, services are a big part of any operating system. However, they increase the attack surface, so consider disabling those services that don't need to be running, such as Bluetooth or your GUI, for example, if this is a server.
