topic Re: Forbidden processes found in Operating System - Linux

Forbidden processes found

Leonilo — Thu, 29 Oct 2009 23:15:42 GMT

A security report shows a bunch of vulnerabilities titled as "forbidden process found". When trying to evaluate the impact of remediating or correcting these vulnerabilites, I need to understand what do these services/commands/processes do. So I need a brief description of them. The processes found by the security report are:
chargen (Inetd)
daytime (Inetd)
discard (Inetd)
dtrc (Process)
dtspc (Inetd)
echo (Inetd)
exec (Inetd)
ident (Inetd)
instl_boots(Inetd)
klogin (Inetd)
kshell (Inetd)
ntalk (Inetd)
printer (Inetd)
recserv (Inetd)
rpc.statd (Process)
tftp (Inetd)
time (Inetd)

Note that some of them are listed as Inetd and some of them as Process, why is this?
Thank you.

Re: Forbidden processes found

Ivan Krastev — Fri, 30 Oct 2009 01:08:58 GMT

Some of the processes were started from the init scripts - they are listed as a PROCESS.
The other ones (started from inetd) are marked as inetd.

For every process/service search google,wikipedia ...

Here is example - http://en.wikipedia.org/wiki/DAYTIME

regards,
ivan

Re: Forbidden processes found

Matti_Kurkela — Fri, 30 Oct 2009 09:18:32 GMT

"Forbidden processes found" is a misleading title, as these refer mostly to network services, not necessarily processes.

"(Process)" in the listing means that the respective service is running as an independent daemon process. In HP-UX, this usually means you can stop the service from starting by editing the appropriate file in /etc/rc.config.d/ directory.

Rpc.statd is one of the NFS common services. If your server neither exports nor mounts NFS filesystems, you can set NFS_CLIENT and NFS_SERVER to 0 in /etc/rc.config.d/nfsconf and then rpc.statd won't be started at system boot any more. Note that you must have NFS_CLIENT set to 1 if you wish to make network-based Ignite backups (make_net_recovery).

"(Inetd)" means this is a network service that is started on-demand by inetd. If no-one is using the service, you won't find it in the system's process list. The inetd process handles the actual network connection: the service proces gets the incoming data piped to it from inetd and the outgoing data is handled the same way.

Some of the services marked "(Inetd)" are implemented internally by the inetd process: these are chargen, daytime, discard, echo and time. All of these are very simple services.

Daytime and time just send the current system time back to whoever connects them and then close the connection. Daytime sends the time value in human-readable format; time uses machine-friendly format. These might be used for time synchronization by very simple network devices, but even the simplest modern managed switches have plenty of processing power to use proper time synchronization protocols like SNTP or NTP.

Chargen, discard and echo are designed as aids for network service debugging.

Chargen sends back an endless stream of characters, which may be useful for testing "what happens to a client software if the server goes insane?"

Discard is a network equivalent of /dev/null: it receives everything and sends back nothing.

Echo just sends back anything sent to it.

Some Denial-of-Service attacks have involved tricking a program to connecting to another server's chargen/echo/discard ports, so the current recommendation is to disable these services if you don't need it.

All the rest of processes marked "(Inetd)" can be identified by finding the service name in the left-most column of /etc/inetd.conf file, then looking towards the end of the line to find the name of the executable and reading the man page of the respective executable ("man ").

MK

Re: Forbidden processes found

Steven E. Protter — Fri, 30 Oct 2009 14:29:19 GMT

Shalom,

Just comment out the services and restart inetd.

tftp is used to start ignite boots, as is instl_boots, they should be kept off except when actually booting an Ignite system.

Just see that none of these servcies are required for production before you shut them down.

The audit is right, they should not be used.

SEP

Re: Forbidden processes found

dirk dierickx — Mon, 02 Nov 2009 08:55:01 GMT

almost all of these will have an extended description in the man pages.

if you want to know exactly what these do, you should read the manpage.

i might be saying rtfm, but there you presented a huge list.

the difference between process and inetd if that inetd processes are started when a network request on a certain port is made. processes are mostly daemons that start at boot and stay running in the background as long as the machine is up.

Re: Forbidden processes found

Leonilo — Mon, 02 Nov 2009 18:09:28 GMT

Ok, and how can I find the man pages?
Thank you!

Re: Forbidden processes found

Steven E. Protter — Mon, 02 Nov 2009 19:32:09 GMT

Shalom,

man ident

man inst_boots

etc.

That will get you a few of them.

SEP

Re: Forbidden processes found

Leonilo — Wed, 04 Nov 2009 17:59:05 GMT

I've got info for most of the services listed above.
Can you help me getting a brief description of these 3 remaining ones:

dtrc (Process)
instl_boots(Inetd)
printer (Inetd)

Thank you!
Leonilo

Re: Forbidden processes found

F Verschuren — Sun, 08 Nov 2009 09:40:00 GMT

dtrc (Process)
I do not know (ask google

instl_boots(Inetd)
check:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1347323
it is used for the lan boot.

printer (Inetd)
this proces must be enabled if other servers are using this server as remote print server