[Gb-ccb] More services turned off successfully on the CCB computer

Martin Shepherd mcs at astro.caltech.edu
Thu Oct 13 18:28:01 EDT 2005 

I have now turned off a few more services, to speed up the CCB boot
procedure and potentially improve the security of the CCB. The
services that are now turned off, that were originally turned on by
the Fedora stock installation procedure, are the following:

  bluetooth cups gpm sendmail isdn kudzu mdmonitor netfs nfslock rhnsd
  pcmcia acpid rpcidmapd rpcgssd portmap atd haldaemon autofs

Having done this, the time that elapses between initiating a reboot,
and getting a prompt, via ssh, is 1 minute and 20 seconds.

The remaining services that are still started at boot time, are the
following:

  anacron apmd auditd cpuspeed crond iptables messagebus network
  ntpd sshd syslog

Of these, I think that the only ones that we might possibly be able to
turn off are "cpuspeed" and "messagebus". In particular,

  1. anacron is needed for periodic housekeeping tasks, such as trimming
     log files, so that they don't fill up the disk.
  2. apmd is needed (I believe) to facilitate the "poweroff" command.
  3. auditd is needed for security postmortem purposes.
  4. cpuspeed reduces the CPU frequency when the load is low, and could
     potentially be turned off.
  5. crond could be useful at some point, for scheduling periodic jobs at
     specific times.
  6. I am actively using iptables as a firewall to block everything
     except ssh and CCB server requests from GB machines (plus my
     machine at Caltech). This is needed because the observatory
     firewall allows ssh requests to get through to any machine in the
     lab. Thus, if I didn't use iptables to implement a more
     restrictive firewall for the CCB, then the CCB would be open to
     attack, once the next security hole was discovered in ssh.
  7. messagebus may or may not be needed, but I don't know if anything
     important uses it.
  8. network service is obviously essential.
  9. ntpd is used to synchronize the CPU clock.
  10. sshd is needed for ssh access.
  11. syslog is needed for logging things like device-driver messages.

I don't think that it is worth spending any more time trying to figure out
if any of the above remaining services could be turned off.

Martin

More information about the gb-ccb mailing list