HPE Community
Operating System - Linux
1752796 Members
5669 Online
108789 Solutions
New Discussion юеВ

Forbidden processes found

 
SOLVED
Go to solution
Leonilo
New Member

тАО10-29-2009 04:15 PM

тАО10-29-2009 04:15 PM

Forbidden processes found

A security report shows a bunch of vulnerabilities titled as "forbidden process found". When trying to evaluate the impact of remediating or correcting these vulnerabilites, I need to understand what do these services/commands/processes do. So I need a brief description of them. The processes found by the security report are:
chargen (Inetd)
daytime (Inetd)
discard (Inetd)
dtrc (Process)
dtspc (Inetd)
echo (Inetd)
exec (Inetd)
ident (Inetd)
instl_boots(Inetd)
klogin (Inetd)
kshell (Inetd)
ntalk (Inetd)
printer (Inetd)
recserv (Inetd)
rpc.statd (Process)
tftp (Inetd)
time (Inetd)

Note that some of them are listed as Inetd and some of them as Process, why is this?
Thank you.
0 Kudos
Reply
8 REPLIES 8
Ivan Krastev
Honored Contributor

тАО10-29-2009 06:08 PM

тАО10-29-2009 06:08 PM

Re: Forbidden processes found

Some of the processes were started from the init scripts - they are listed as a PROCESS.
The other ones (started from inetd) are marked as inetd.

For every process/service search google,wikipedia ...

Here is example - http://en.wikipedia.org/wiki/DAYTIME

regards,
ivan
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО10-30-2009 02:18 AM

тАО10-30-2009 02:18 AM

Solution

Re: Forbidden processes found

"Forbidden processes found" is a misleading title, as these refer mostly to network services, not necessarily processes.

"(Process)" in the listing means that the respective service is running as an independent daemon process. In HP-UX, this usually means you can stop the service from starting by editing the appropriate file in /etc/rc.config.d/ directory.

Rpc.statd is one of the NFS common services. If your server neither exports nor mounts NFS filesystems, you can set NFS_CLIENT and NFS_SERVER to 0 in /etc/rc.config.d/nfsconf and then rpc.statd won't be started at system boot any more. Note that you must have NFS_CLIENT set to 1 if you wish to make network-based Ignite backups (make_net_recovery).

"(Inetd)" means this is a network service that is started on-demand by inetd. If no-one is using the service, you won't find it in the system's process list. The inetd process handles the actual network connection: the service proces gets the incoming data piped to it from inetd and the outgoing data is handled the same way.

Some of the services marked "(Inetd)" are implemented internally by the inetd process: these are chargen, daytime, discard, echo and time. All of these are very simple services.

Daytime and time just send the current system time back to whoever connects them and then close the connection. Daytime sends the time value in human-readable format; time uses machine-friendly format. These might be used for time synchronization by very simple network devices, but even the simplest modern managed switches have plenty of processing power to use proper time synchronization protocols like SNTP or NTP.

Chargen, discard and echo are designed as aids for network service debugging.

Chargen sends back an endless stream of characters, which may be useful for testing "what happens to a client software if the server goes insane?"

Discard is a network equivalent of /dev/null: it receives everything and sends back nothing.

Echo just sends back anything sent to it.

Some Denial-of-Service attacks have involved tricking a program to connecting to another server's chargen/echo/discard ports, so the current recommendation is to disable these services if you don't need it.

All the rest of processes marked "(Inetd)" can be identified by finding the service name in the left-most column of /etc/inetd.conf file, then looking towards the end of the line to find the name of the executable and reading the man page of the respective executable ("man ").

MK
MK
Reply
Steven E. Protter
Exalted Contributor

тАО10-30-2009 07:29 AM

тАО10-30-2009 07:29 AM

Re: Forbidden processes found

Shalom,

Just comment out the services and restart inetd.

tftp is used to start ignite boots, as is instl_boots, they should be kept off except when actually booting an Ignite system.

Just see that none of these servcies are required for production before you shut them down.

The audit is right, they should not be used.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
dirk dierickx
Honored Contributor

тАО11-02-2009 12:55 AM

тАО11-02-2009 12:55 AM

Re: Forbidden processes found

almost all of these will have an extended description in the man pages.

if you want to know exactly what these do, you should read the manpage.

i might be saying rtfm, but there you presented a huge list.

the difference between process and inetd if that inetd processes are started when a network request on a certain port is made. processes are mostly daemons that start at boot and stay running in the background as long as the machine is up.
0 Kudos
Reply
Leonilo
New Member

тАО11-02-2009 10:09 AM

тАО11-02-2009 10:09 AM

Re: Forbidden processes found

Ok, and how can I find the man pages?
Thank you!
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО11-02-2009 11:32 AM

тАО11-02-2009 11:32 AM

Re: Forbidden processes found

Shalom,

man ident

man inst_boots

etc.

That will get you a few of them.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Leonilo
New Member

тАО11-04-2009 09:59 AM

тАО11-04-2009 09:59 AM

Re: Forbidden processes found

I've got info for most of the services listed above.
Can you help me getting a brief description of these 3 remaining ones:

dtrc (Process)
instl_boots(Inetd)
printer (Inetd)

Thank you!
Leonilo
0 Kudos
Reply
F Verschuren
Esteemed Contributor

тАО11-08-2009 01:40 AM

тАО11-08-2009 01:40 AM

Re: Forbidden processes found

dtrc (Process)
I do not know (ask google

instl_boots(Inetd)
check:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1347323
it is used for the lan boot.

printer (Inetd)
this proces must be enabled if other servers are using this server as remote print server
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.