A security report shows a bunch of vulnerabilities titled as "forbidden process found". When trying to evaluate the impact of remediating or correcting these vulnerabilites, I need to understand what do these services/commands/processes do. So I need a brief description of them. The processes found by the security report are:
chargen (Inetd)
daytime (Inetd)
discard (Inetd)
dtrc (Process)
dtspc (Inetd)
echo (Inetd)
exec (Inetd)
ident (Inetd)
instl_boots(Inetd)
klogin (Inetd)
kshell (Inetd)
ntalk (Inetd)
printer (Inetd)
recserv (Inetd)
rpc.statd (Process)
tftp (Inetd)
time (Inetd)
Note that some of them are listed as Inetd and some of them as Process, why is this?
Thank you.
Note: If you are the author of this question and wish to assign points to any of the answers, please login first.For more information on assigning points ,click
here
"Forbidden processes found" is a misleading title, as these refer mostly to network services, not necessarily processes.
"(Process)" in the listing means that the respective service is running as an independent daemon process. In HP-UX, this usually means you can stop the service from starting by editing the appropriate file in /etc/rc.config.d/ directory.
Rpc.statd is one of the NFS common services. If your server neither exports nor mounts NFS filesystems, you can set NFS_CLIENT and NFS_SERVER to 0 in /etc/rc.config.d/nfsconf and then rpc.statd won't be started at system boot any more. Note that you must have NFS_CLIENT set to 1 if you wish to make network-based Ignite backups (make_net_recovery).
"(Inetd)" means this is a network service that is started on-demand by inetd. If no-one is using the service, you won't find it in the system's process list. The inetd process handles the actual network connection: the service proces gets the incoming data piped to it from inetd and the outgoing data is handled the same way.
Some of the services marked "(Inetd)" are implemented internally by the inetd process: these are chargen, daytime, discard, echo and time. All of these are very simple services.
Daytime and time just send the current system time back to whoever connects them and then close the connection. Daytime sends the time value in human-readable format; time uses machine-friendly format. These might be used for time synchronization by very simple network devices, but even the simplest modern managed switches have plenty of processing power to use proper time synchronization protocols like SNTP or NTP.
Chargen, discard and echo are designed as aids for network service debugging.
Chargen sends back an endless stream of characters, which may be useful for testing "what happens to a client software if the server goes insane?"
Discard is a network equivalent of /dev/null: it receives everything and sends back nothing.
Echo just sends back anything sent to it.
Some Denial-of-Service attacks have involved tricking a program to connecting to another server's chargen/echo/discard ports, so the current recommendation is to disable these services if you don't need it.
All the rest of processes marked "(Inetd)" can be identified by finding the service name in the left-most column of /etc/inetd.conf file, then looking towards the end of the line to find the name of the executable and reading the man page of the respective executable ("man <name-of-executable>").
almost all of these will have an extended description in the man pages.
if you want to know exactly what these do, you should read the manpage.
i might be saying rtfm, but there you presented a huge list.
the difference between process and inetd if that inetd processes are started when a network request on a certain port is made. processes are mostly daemons that start at boot and stay running in the background as long as the machine is up.
Printable version
