Remove Files Not Required for Daily Operations

When you start going through your list of services, make sure that you understand what is required to operate the systems in question. Removing extraneous services that are not required for daily operations has multiple benefits. First, it limits the attack surface, so malicious attackers can't breach what is not there. If you remove these extra pieces of the OS, it presents fewer opportunities to compromise the environment.

Check what services are being used upon startup by viewing /etc/inittab. For example, these are some common services that you may consider disabling:

• /etc/inittab - Defines what starts when the system boots up

• dt - Common Desktop Environment (DTE)

• httpdlite - the default webserver for the docsearch engine

• imqss - search engine for docsearch

• nfs - network file sharing, disable unless sharing via NFS

• piobe - Printer I/O needed if printing directly from the server

• qdaemon - print spooler that submits to piobe

• uprintfd - kernel messages generally not required

• xdm - X11 do not run on backroom or development servers unless specifically required

Second, removing these extra system pieces limits the amount of patching that is required. Typically, less patching means less downtime, fewer maintenance hours, and less effort keeping those systems up to date. Additionally, you will have a faster patch cycle if you don’t have so many things to patch. For example, if you are not browsing the web from a system, then you don’t need to have web browsing packages on the system. Try to limit the attack surface whenever possible.

To remove packages from an AIX system follow these steps:

First, ensure that the components are unconfigured (if necessary). Follow the instructions in Unconfiguring Tivoli Access Manager components.

Then enter the following command:

installp -u -g packages