Tuning a "lean mixture" of services
What services you got??
Unix users often don't even know. We're talking about a) programs that are installed on your machine, whether they run or not, and b) programs that start, always and automatically, as part of the boot process. From a security point of view, it's desirable to minimize both to the fewest programs you actually need. That may mean taking an inventory of those your system has, deciding which ones you don't really need, and getting rid of them (either uninstalling them, or turning them off so they don't run automatically).
Installed services
Users who install linux themselves may allow their distibution's installer program (e.g., Fedora's Anaconda) to choose what programs to install. Most installers offer a "worksataion or server" choice. Then the installer, not you, defines and installs the appropriate set of programs that it thinks fit the chosen role. Or, it may offer you "minimal" or "everything" options. Again, you don't select individual programs.
So what programs actually are installed on your machine? Well, programs land on your machine by either of 2 routes: from source code which you compile or by preconstructed package (tarball vs rpm in Fedora). The rpm programs are centrally recorded when installed, so at any time you can easily check what's been installed. The tarballs are not, so you can't. Find out what rpm-based packages (each contains a "program") have been installed:
rpm -qa
What are all these programs? Can we figure out which ones we need? Choose any one of them and let rpm tell you what it its. For example:
rpm -qi firefox
You could generate this information for all the programs with something like:
for item in $(rpm -qa); do rpm -qi $item; echo; done
This is time-consuming, however let it go at least until its output starts to appear on the screen. You can interrupt it with a ctrl-z keystroke.
If you decide you really don't want one of these programs on your machine, you could remove it:
rpm -e mtx
The better strategy than to retroactively remove packages because you didn't want them in the first place is, to not install them in the first place. Keep this in mind next time you install a linux system that demands security. The security connection is that if an intruder gains full control of your machine he gains control of everything on it. Compilers and editors on the machine will help him build his own programs in place on your machine, usable to subvert it. File transfer clients and servers can help move his files onto your machine, or yours to his machine for leisurely analysis for example.
Auto-run services
Of greater interest and importance is the number of programs auto-launched at startup, especially those which are network services. Network service programs are designed to conduct interaction with outsiders. That's part of their job. They are often part of a security attack. Run them as you need them. But those you don't actually need shouldn't run so shouldn't be started.
How do we know what programs are auto-started on boot? Try:
systemctl list-unit-files
The ones that say "enabled" start on boot. You could show them in isolation:
systemctl list-unit-files | grep enabled
and reduce that down to just a list of their names:
systemctl list-unit-files | grep enabled | gawk '{ print $1 }'
Another tool of use is netstat. It reveals running network programs. A network program is one that runs for the benefit of users across a network, users who are someplace else. What's perhaps worse than a program nobody needs but that runs all the time is one nobody needs but that makes itself available to others nevertheless. A network program is an open door, an engraved invitation. "Use me," it says, "whoever you are." Network programs are great. Run them to do needed work when what they do is what you need done. But don't run them if their intended purpose is unneeded, if they are running only by some default accident, if even you can't explain why they're there. When the water's running all the time, turn it off so a big bill doesn't come due later. This command shows what's running an using tcp:
netstat -pant
and this one, what's running and using udp:
netstat -panu
From the above systemctl output you saw quite a few services that run upon startup. So many that
probably you don't even know what most of them are. I we feed this list back to
systemctl it can print out a very minor description of what each does. But that
can be the basis for a user to decide whether he wants to let it continue
auto-launching at boot or instead wants to turn that behavior off. Here is a
script that assists in identifying and setting to "don't auto-run"
services you don't actually need.
#!/bin/bash
clear
for item in $(systemctl list-unit-files --type=service | grep enabled | gawk '{print $1}')
do
echo -n "$item -- "; systemctl list-units | grep $item
echo -ne "\nTurn auto-run off? ("y" to turn off): ";read CHOICE
if [ "$CHOICE" = "y" ]; then
if systemctl disable $item &> /dev/null; then
echo "Disabled $item"
sleep 1
fi
fi
clear
done
Run this. Identify some startup scripts which, from the description, you think are dispensable or undesirable and turn them off. For example, an action specific to Hewlett Packard printers or ISDN would be dispensable if you don't have an HP printer or ISDN.