How to remove services from nsswitch file?

pinga123 · 10-11-2010, 12:27 AM

According to security manual only DNS, files, or LDAP should be allowed in nsswitch file however it seems like i have many other services configured in nsswitch files.

below are the content from nsswitch file.
What services can be removed considering the system stability.

Code:

passwd:     files
shadow:     files
group:      files
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus

Tinkster · 10-11-2010, 12:34 AM

Please elaborate (using the file you posted) which bits you consider
to be the services? I'd also like to hear from you whether your
organisation makes actual use of nis(plus) ...

Cheers,
Tink

pinga123 · 10-11-2010, 12:40 AM

We are using DNS servers and not NIS.also wanted to add here that i dont have any working knowledge of what does this file signifies i just want to follow the security manual statement which is as below.

"The name services configuration file nsswitch.conf must be configured to only support DNS, files, or LDAP. All other service types must be removed from the nsswitch.conf file. "

Tinkster · 10-11-2010, 12:56 AM

May I recommend a thorough read of 'man 5 nsswitch.conf"?

Determine from there in how far the "security recommendation" is
feasible, and can be adhered to in your environment w/o breaking it.

Cheers,
Tink

pinga123 · 10-11-2010, 01:28 AM

We are using dns server instead of NIS should we follow what the following link says.

http://www.faqs.org/docs/securing/chap6sec71.html

Tinkster · 10-11-2010, 01:32 AM

Quote:

Originally Posted by pinga123

We are using dns server instead of NIS should we follow what the following link says.

http://www.faqs.org/docs/securing/chap6sec71.html

Did you read the man-page? There are potential pitfalls in
changes to the file if you're not cautious about the version
of libc your system uses.

While the advice given in the link is sound it's not sufficient
to base a decision on.

Cheers,
Tink