Linux Startup Processes - USALearninginteractive boot; which will ask you . every script and process, if you want . to run it or not. So if you wanted to . do a step by step boot because

Linux Startup Processes

Table of Contents

Init Run Levels -1 ............................................................................................................................. 2

Init Run Levels -2 ............................................................................................................................. 5

Init Run Levels -3 ............................................................................................................................. 6

Security in inittab ............................................................................................................................ 8

Version Specific Startup – RedHat -1 .............................................................................................. 9

Version Specific Startup – RedHat -2 ............................................................................................ 10

Version Specific Startup – RedHat -3 ............................................................................................ 12

Version Specific Startup – Ubuntu ................................................................................................ 14

Securing Run Level Processes -1 ................................................................................................... 16



Reboot and Shutdown Properly.................................................................................................... 20

Initiating a Reboot or Shutdown ................................................................................................... 21

Halt and Shutdown ....................................................................................................................... 22

Notices .......................................................................................................................................... 23

Page 1 of 23

Init Run Levels -1

25

Init Run Levels -1

Has a PID of 1

Parent to all other user processes and most all system processes

Has at least 7 run levels broken up into groups of services

Run Levels0 Halt1 Single User Mode2 Multiuser, some networking3 Multiuser, networking4 Typically unused5 X11 G6 Reboot

**025 So the very first process is init; has a Process ID of 1. It's the parent to all the other processes. So init runs and then it spawns all the other processes. I'll show you an example of Process IDs on the next slide. So these are the run levels I was referring to earlier. So 5 is full networking support. It's X11 or your GUI-- it's missing the 'UI' on the 'G'. Zero is halt; which will just sink the file system and shut down. It won't process any shutdown scripts it'll just--

Page 2 of 23

A 1 is your single user mode. So if we type 'single'- if we type that single command through the Grub, it will get us to single user mode. That means we're at run level 1. So whatever's an rc1.d is what will be run. Two is multiuser, with some networking. And multiuser with networking-- 2 and 3 are kind of similar. Four: Typically unused. Five is X11. And 6 is reboot. So the most common ones you'll see are 1 for your single user mode, or safe mode, and 5 for your X11; or if you just-- if you were just running in a complete command prompt environment, maybe a strictly command line server that's not going to have a GUI installed, like a web server, you would probably be in run level 3. And then 6 is what happens when do a shutdown - r. Reboot from the GUI, it's going to do run level 6. Oh that was a blackout. Student: When you go between run levels-- so if I'm moving from run level 5 to run level-- you know, if I'm going to single user mode, it doesn't process each- each of the run levels directory going backwards.

Page 3 of 23

Jeff Arsenault: No. Student: The shutdown services that are the-- Jeff Arsenault: No. Student: Between the two. Jeff Arsenault: So changing run levels while you're- changing from run level 5 to like run level 1 while you're on the system is not a good idea. Student: But, I mean, switching between run-- so it's not like a build of the scripts and-- Jeff Arsenault: Oh correct, correct, correct, right. So when you- when you boot up into run level 5, it only looks at what's in rc5. It doesn't run 0 through 4. Student: Right. Jeff Arsenault: It only looks at that particular directory. Student: And then when it goes to shutdown. Jeff Arsenault: It looks in that same directory. Student: It doesn't reverse. Jeff Arsenault: Correct. Student: Right.

Page 4 of 23

Jeff Arsenault: Good clarification. Thank you. Yes so it only looks strictly in the specific directory for that run level. So if I'm in- running in run level 5, it's only going to look in rc5.d for its startup and shutdown scripts. It's not going to look anywhere else.

Init Run Levels -2

26

Init Run Levels -2

Default run level is generally 5

0 and 6 are only passers by• System cannot stay in them

Level 5 is X Windows login process

Up to 10 run levels are supported

Level 1 is special since it is single user mode without networking and gives root access

**026 Default run level is generally 5; which is full networking support, multiuser and X11 or your GUI interface. Ten run levels. If you're really advanced, you can define- it is possible to define custom run levels.

Page 5 of 23

But it's really out of the scope of this class. But it is possible to do. And Level 1 is special because it's single user mode; as we've mentioned before.

Init Run Levels -3

27

Init Run Levels -3

/etc/inittab specifies which level is the default run level.

When booting up or shutting down the system executes run levels in different directions.

• Up for startup, down for shutdown or reboot

telinit

• Changes init run level once system is running• teleint 3 (changes init to level 3)

**027 The default run level is specified in a file called /etc/init.tab. That's going to be the default run level when you boot up. So if you have a GUI interface and you want to make sure you're always going to boot into a command line, have to start the GUI manually, you change your init level to 3.

Page 6 of 23

So when booting up or shutting down, execute the run levels in the different directions. So telinit, you can change the run level. I wouldn't recommend it. One of the common ones, you could do init0 or init-- if you type init6 or telinit6, it'll shut down the system. It's the equivalent of typing 'shutdown' without all the extra parameters. But you should use the actual 'shutdown' command because it does allow you to do a timer and broadcast a message to everyone on the system to warn them the system's being shut down; especially if it's a high-end multiuser system that has a lot of logged in users.

Page 7 of 23

Security in inittab

28

Security in inittab

Inittab describes what processes are started when the system boots.

Default run level can also be set here.• It is a good practice to set your run level to 3 here.• Network is started, but X11 services for GUI are not.

**028 Default run level can be set here in that order. So if you set it to 3, that's going to be your basic full networking, full multiuser with no X11. And then 5 would be with X11.

Page 8 of 23

Version Specific Startup – RedHat -1

29


Init invokes /etc/rc.d/rc.

/etc/rc.d/rc can run in “confirmation” mode where each script is asked for confirmation to run before execution. Normally, this runs in “normal mode.”

Press “i” to enter “confirmation mode” when you see “Welcome to Red Hat Enterprise Linux.”

Image: redhat.com

**029 So like I said, I'll give you an example. The rc.d directories with rc.0, 1, 2. That's Red Hat's version of processing your startup scripts. In that same interface mode, that same Grub interface where I typed the 'a', you can use 'i' do an interactive boot; which will ask you every script and process, if you want to run it or not. So if you wanted to do a step by step boot because you think a specific process isn't booting or is messing up your system, you can say, "Yes, yes, no, yes, yes" and see if that was the culprit or not.

Page 9 of 23


30


/etc/rc.d/rc.local can be used to execute user scripts post-boot.

Chkconfig adds or removes startup scripts from the system and the run level at which they run.

Chkconfig --list postfix

/etc/sysconfig – where config files live for• Clock• Console• Keyboard• Mouse

**030 A common practice. This isn't required but a common practice is if you're going to have say some start scripts of your own, if you want to just run a command at startup, a specific command, there's a file called rc.local; and you'd put your stuff in rc.local as an administrator. You can put some of your custom one-line type scripts you wanted to run; kind of like the equivalent of the startup folder-- you want some certain things to run every time on startup, you can put it in rc.local. Now that's no means required. You could still create your own independent text files-- as long as it's

Page 10 of 23

not named the same as something else in that directory; and then you just link to it from the rc directories. Student: Do those get fired up regardless of what init level-- Jeff Arsenault: No. No it does not. So anything that's in the init.d, including rc.local, will only get fired up if you create a link to it and the appropriate run level. So you have to create-- so if you wanted to-- rc.local right now isn't set to fire up, I believe. So if you wanted to actually use rc.local, you'd have to go into the run level that you wanted to have and create a link to it; which is-- to create links you use a command called 'ln, space, -s'. And then there's another configuration directory called sysconfig which has some very basic configs; your default clock settings, your settings for your consoles, keyboard and mouse.

Page 11 of 23


31


/etc/sysconfig/network

• Network file contains default gateway, hostname, other settings for networking for all interfaces

• /etc/sysconfig/network-scripts contain interface specific configuration parameters

• /etc/sysconfig/network-scripts/ifcfg-eth0:DEVICE=eth0 BOOTPROTO=none ONBOOT=yes BROADCAST=10.0.1.255 NETWORK=10.0.1.0 NETMASK=255.255.255.0 IPADDR=10.0.1.1USERCTL=no

**031 Also has the network. So a very important one here. We'll talk about a network more in another block where we'll actually go through some of the GUI. But for the very basics of it, if you wanted to manage it from the command line and not use any of the system services that can do it for you, this is where those scripts work. So usually on most systems your first Ethernet connection is going to be eth0. So as you can see on the slide, we have ifcfg-eth0. So when you look in this directory: sysconfig/network-scripts/-- in this

Page 12 of 23

directory it will be ifcfg, dash-- and then all your interfaces will be listed there. Most commonly-- so if you had another- if you had two NICs, your segment would be ifcfg-eth1. And then that script, that file contains-- this is what that file contains. So it says: Okay the device is eth0, Ethernet0. Bring up the interface on Boot. This is our broadcast; this is our network; this is our netmask and our IP address.

Page 13 of 23

Version Specific Startup – Ubuntu

32

Version Specific Startup – Ubuntu2007 init changed to Upstart

Upstart – event-driven service management• Deals with transitions to state change• Reduced boot time• Uses run-level emulation scripts to boot

system

Scripts are handled in /etc/event.d

Run levels are executed in /etc/event.d/rc0…

Update -rc.d is used to maintain run levels

Update -rc.d ssh start 80 2 3 4 5 . Stop 20 S 1 6

Image: ubuntu.com

**032 So Ubuntu uses a different system than the traditional rc and init.d. Ubuntu used to use init.d. Now they're using a program called Upstart. A lot of the newer versions of Linux are switching to Upstart. Red Hat Enterprise 6 does not. But if you're familiar with the Red Hat environment they have-- their open source version is Fedora; and Fedora uses Upstart now. But that's a little more leading edge technology. So this is the tried and true is rc. So Upstart's event-driven service management; deals with transitions to state change; has a faster boot

Page 14 of 23

time. It still emulates the run levels; but it's more dynamic. So you should be using the constant run levels; but using a service to manage them. So you could use commands such as 'update -rc.d ssh', your secure shell. And so you stay 'start'. And 'ad' is your priority; and then those are the run levels that it's applicable for. So that's the equivalent of creating the links in each of the individual rcs. So if I wanted to have it start at run level 2 or 3 or 4 or 5, then those are what are associated. That's the equivalent of putting a start- a startup link in rc2.d or rc3.d. But instead the entire process is managed by a service.

Page 15 of 23

Securing Run Level Processes -1

33


There are a lot of services and processes that are started on the boot up of a system.

Some of these services are not needed and should be disabled.

Allowing unnecessary services or processes to run may increase the attack surface of a system.

**033 So as we were- as I showed you with the printer example, there's a lot of services and processes that are started on the boot of the system; and like you brought up: Okay, how do I know if one needs to be there or not? So we want to tune out ones that we don't need; such as the printer-- we want to disable those. Because actual processes that aren't necessary to the server are one extra vulnerability that might not get patched that could be exploited; or could be a system that someone- could be a process someone uses to hide in.

Page 16 of 23


34


Example processes that you may want to disable• netfs – only used if a NFS share is needed at boot time• pcmcia – generally only needed on laptops• sendmail – procmail may be used instead and is more secure• nfs, nfslock – only used if NFS shares are being used• cups – used for printing

**034 So here are some examples of one. So cups was the printing one. Nfs; if you're not doing file sharing you don't need to have nfs running. That's the equivalent of having your file sharing turned on in your Windows box if you're not actually sharing files. Like so you're not going to have your file sharing turned on if you're in a hotel. Nfs is the equivalent of file sharing for Linux. Sendmail; if you're not a mail server you don't need sendmail.

Page 17 of 23

Pcmcia; you're really only going to see that on laptops; and even most laptops nowadays don't even have pcmcia anymore. Most of them use USB. Student: I have a question. Jeff Arsenault: Yes? Student: So is there a good place for a list-- some of these are pretty self-evident by the names of the daemons it's running. But others might be a little more complicated. Is there a good place to go get a complete listing? And then what's the best way of disabling them? Taking them out of-- taking that symbolic link out of the init.d? Jeff Arsenault: Yes. So taking the symbolic link-- so in Upstart you can- - and Ubuntu; that's one of the nice things about the Upstart is you can take- you can remove it by typing upstart remove; and it's the equivalent of going and removing all those symbolic links for you. But since we're talking Red Hat Enterprise Linux, yes you'd have to go and remove all the symbolic links in each of the rcs. Student: Can't you just use: check config service off? Jeff Arsenault: Maybe you could use that also. The-- there are publications. NSA is a good reference; and the DISA STIGs. In another block we go over

Page 18 of 23

a list of common- a list of sources that are good for hardening Linux, that provide very comprehensive guides of such services. So I know NSA has a very comprehensive guide for securing Red Hat Enterprise Linux specifically. And we'll go into very-- it goes down to the command line prompt of what you disable.


35


Services should be disabled as needed or permanently to decrease the attack surface on a system.

To stop a service/etc/init.d/service stop

To permanently disable the servicechkconfig service off

**035 So we talked about using start, stop and restart. So you can type the service name, space, stop, to start the- to stop the service that's actually running; but it'll still come

Page 19 of 23

back up. And then as he mentioned earlier, to permanently disable it you can use check configure service space off.

Reboot and Shutdown Properly

36

Reboot and Shutdown Properly

Incorrect rebooting or shutting down can cause issues with the integrity of the system including file and database corruption.

After startup/shutdown scripts have been modified, a reboot should be performed to make sure system comes up correctly.

**036 So I kind of hinted at this before. You could do an init0 which will halt the system but won't do a-- it'll just synch the files but it won't shut down all your services cleanly. So you always want to make sure you try to shut down and restart cleanly, using shutdown or the reboot command; much like on any computer system, not just Linux- based, it doesn't like it if it's just turned off unannounced.

Page 20 of 23

Initiating a Reboot or Shutdown

37

Initiating a Reboot or Shutdown

Messages will be displayed to all logged in users• It is important to notify all users on a system that a shutdown or

reboot is being done by an authorized user.• Unannounced restarts/shutdowns can cause unnecessary worry on

the users of a system.• Unannounced restart/shutdowns may indicate a security issue with

the system.

Options• /sbin/shutdown• Time• -r – reboot• -h – halt• -f fsck

**037 So when you're using shutdown, it'll notify all users on a system that a shutdown is going to happen. It actually lives in /sbin is where the shutdown command lives. But most of the time it's in your paths; so you can just shutdown from wherever you actually are on the command prompt. These are the parameters shutdowns take. So the time is when you're going to shut it down; -r is you're going to do a reboot; and -f is if you want to force it to do a file system check, the equivalent of check disk.

Page 21 of 23

Halt and Shutdown

38

Halt and Shutdown

Halt• Waits for file writes to finish• Executes sync• Halts kernel

Shutdown• Shutdown –h 13:25 “Need to install updates”• Shutdown –h +5 “Emergency shutdown in 5 minutes”• Shutdown –r now (same as reboot)

**038 So here are some examples of using the shutdown command. So that part in quotes is what will be sent to all the users logged on to the system. Now that won't be sent if they're using the system as a database server; they're not going to see this text. Or if they're using it as a webserver they're not going to see this text. It's more geared towards that they're actually logged into the server; such as doing SSH. Or if you for some reason have telnet turned on; which you shouldn't, since it's clear text.

Page 22 of 23

And if you don't want to wait and you just need to take it down, you can do shutdown -r now and it'll bring down the system without giving the users any warning or delay.

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 23 of 23

Documents

Linux Startup Processes - USALearninginteractive boot; which will ask you . every script and process, if you want . to run it or not. So if you wanted to . do a step by step boot because