Step 3: Determine Services Dependencies

Sometimes a particular service requires one or more other daemons to be running (a daemon is a process that runs without an associated console). For instance, the samb a service needs these three daemons to be running: smbd , nmbd , and winbindd . This can pose a problem when some daemons are not running or not configured. In their effort to make a server as functional as possible, most distributions are likely to have all possible services running and operational out of the box. After the initial operating system installation, you need to shut down some of the unnecessary services. A properly hardened server runs only the necessary services. The rationale is that any bit of code may have vulnerabilities; if the service is not running, no one can take advantage of it. The question is, how do you know which services are necessary? A difficult way to determine this might be to turn off each service one at a time, and then check to see if everything you need is still working. This approach is both tedious and impractical . Tables 2-2 and 2-3 list the default services that are running and guidelines for determining which ones you might not need.

However, many other services exist, and there are many interdependencies between services, and between services and other components . Simple trial and error will not be the most productive approach. The best way to configure services is to learn which services are necessary and turn off the rest. The definition of what services are necessary, as you have seen, may vary from server to server.

Once you have determined that a specific service is necessary, you may be able to determine if another service is also required by seeing if it is required by the ones that you know are necessary. This is the process of checking to see if a service has prerequisites or dependencies. To find the dependencies, check the man page with the man command. Type man servicename , such as man sendmail . The man page will list any requirements a service has. If you are not sure what man page to look at, try using man s keyword capability, as follows :

 man -k  keyword

For example, the command

 man k sendmail

would show you all the man pages that contain information pertaining to sendmail.

You should also refer to the See Also section at the end of the man page and investigate these other sources of service information.

Tip	Under SLES8, the Runlevel Editor program that is described in the next section will warn you if you attempt to turn on a service but neglect to start services it depends on.

Tables 2-5 and 2-6 list common Linux services and their dependencies. The services are listed down the first column, and the services they require are listed across the top.

Table 2-5: Services and Dependencies Part 1
Service	>Required Services
	network	syslog	route	quota	zebra	nmb	ypserv	inetd
acct	Yes	Yes
adsl	Yes	Yes
apache	Yes
Arpwatch	Yes	Yes
Atalk	Yes
Autofs	Yes	Yes
Bgpd	Yes				Yes
cipe	Yes
cron	Yes	Yes
Cups	Yes	Yes
Dhcpd	Yes
dhcrelay	Yes
Evlog	Yes
fam	Yes	Yes
gpm	Yes	Yes
Heartbeat	Yes	Yes
hotplug	Yes	Yes
Httpd	Yes
Inetd	Yes	Yes
innd	Yes
ippl	Yes
Ipsec	Yes	Yes						Yes
ipvsadm	Yes
Ipxmount	Yes	Yes
Ipxrip	Yes	Yes
ircd	Yes	Yes						Yes
Irqbalance
Iscsi	Yes	Yes
kdc	Yes
ksysguardd	Yes
lisa	Yes	Yes
mailman	Yes	Yes
mon	Yes	Yes
Mrtd	Yes
Mysql	Yes
Nagios	Yes	Yes
Named	Yes	Yes
Nessusd	Yes
nfs	Yes	Yes
nfslock	Yes	Yes
Nfsserver	Yes	Yes
nmd	Yes	Yes
ntop	Yes
new	Yes	Yes
ospf6d	Yes				Yes
Ospfd	Yes				Yes
Pcscd	Yes	Yes
Pkcipe	Yes
portmap	Yes	Yes
Postfix	Yes	Yes
postgres	Yes
Powertweakd	Yess	Yes
pptd	Yes		Yes
Quota	Yes	Yes
Quotad	Yes	Yes		Yes
radiusd	Yes	Yes
Radvd	Yes	Yes
ripd	Yes				Yes
Ripngd	Yes				Yes
Rpasswdd	Yes	Yes
Rstatd	Yes
Rsyncd	Yes	Yes
rusersd	Yes
Rwhod	Yes
Scanlogd	Yes	Yes
Sendmail	Yes
smb	Yes	Yes				Yes
Smbfs	Yes	Yes				Yes
smpppd	Yes	Yes
Snmpd	Yes
Snmptrapd	Yes
Snort	Yes
Squid	Yes
Syslog	Yes
vtun	Yes	Yes
Winbindd	Yes	Yes				Yes
Wwwoffle	Yes	Yes
xfs	Yes
Xinetd	Yes
Xnlpd	Yes	Yes
Ypbind	Yes	Yes
yppasswdd	Yes	Yes					Yes
ypserv	Yes	Yes
Ypxfrd	Yes	Yes					Yes
Zebra	Yes

Table 2-6: Services and Dependencies Part 2
Service	Required Services
	ldap	portmap	sshd	hotplug	alsasound	cron	nfslock	cipe	z90crypt
slurpd	Yes		Yes
Ipsec		Yes
nsf		Yes
nsflock		Yes
nfsserver		Yes					Yes
quota		Yes
quotad		Yes
ypbind		Yes
yppasswdd		Yes
ypserv		Yes
ypxfrd		Yes
ircd			Yes
Cups				Yes
Joystick					Yes
mailman
Pkcipe								Yes
Pkcsslotd									Yes

Finding service dependencies is not difficult in Linux distributions that are compliant with the Linux Standard Base (LSB) version 1.3. Both Red Hat Enterprise Linux AS 3.0 and SLES8 are LSB 1.3 compliant. LSB requires that the headers in the scripts that start and stop services contain a field showing exactly what each service is dependant upon. For instance, the script that starts the ypserver /etc/rc.d/ypserv contains a line like Required-Start: portmap . This means that the ypserver requires the portmap service in order to run correctly. When portmap is started by the init script and the start argument, the information specified in the portmap script s Provides header is considered present. This fulfills the ypserver s requirement, and ypserver is then eligible to run. The converse is also true, if the init script is run with the stop argument, the facilities described in the Provides header are considered no longer present. For these reasons it is important that startup scripts contain all the correct header information. Do not delete or alter header information from the scripts without a good reason, especially in the section that is delimited by the following lines:

 ### BEGIN INIT INFO ### END INIT INFO

If you are interested in the rest of the fields in the script header, you are encouraged to check out the LSB specification at http://www.linuxbase.org. This is also a way to get exposed to the other useful information contained in the headers of the init scripts.