I have noticed that even if I didnt enable or configure bgp, rip, ripng, ospf, babl, mpls (ldpd), eigrup and bfd these services are started by default anyway:
vyos@vyos:~$ ps auxwww | grep -i frr root 859 0.0 0.0 8208 3560 ? S<s Aug02 0:21 /usr/lib/frr/watchfrr -d -F traditional zebra bgpd ripd ripngd ospfd ospf6d isisd babeld ldpd eigrpd staticd bfdd frr 897 0.0 0.2 1148868 20760 ? S<sl Aug02 0:01 /usr/lib/frr/zebra -d -F traditional -s 90000000 --daemon -A 127.0.0.1 -M snmp frr 902 0.0 0.2 257552 18596 ? S<sl Aug02 0:01 /usr/lib/frr/bgpd -d -F traditional --daemon -A 127.0.0.1 -M snmp -M rpki -M bmp frr 909 0.0 0.1 26336 10948 ? S<s Aug02 0:01 /usr/lib/frr/ripd -d -F traditional --daemon -A 127.0.0.1 -M snmp frr 912 0.0 0.0 9648 5416 ? S<s Aug02 0:00 /usr/lib/frr/ripngd -d -F traditional --daemon -A ::1 frr 915 0.0 0.1 28628 12720 ? S<s Aug02 0:01 /usr/lib/frr/ospfd -d -F traditional --daemon -A 127.0.0.1 -M snmp frr 920 0.0 0.1 27668 12140 ? S<s Aug02 0:01 /usr/lib/frr/ospf6d -d -F traditional --daemon -A ::1 -M snmp frr 924 0.0 0.1 28248 12812 ? S<s Aug02 0:01 /usr/lib/frr/isisd -d -F traditional --daemon -A 127.0.0.1 -M snmp frr 927 0.0 0.0 9228 5140 ? S<s Aug02 0:00 /usr/lib/frr/babeld -d -F traditional --daemon -A 127.0.0.1 frr 930 0.0 0.0 9696 6920 ? S< Aug02 0:00 /usr/lib/frr/ldpd -L -u frr -g frr frr 931 0.0 0.0 9700 7000 ? S< Aug02 0:00 /usr/lib/frr/ldpd -E -u frr -g frr frr 932 0.0 0.0 10260 5568 ? S<s Aug02 0:00 /usr/lib/frr/ldpd -d -F traditional --daemon -A 127.0.0.1 frr 936 0.0 0.0 9836 5664 ? S<s Aug02 0:00 /usr/lib/frr/eigrpd -d -F traditional --daemon -A 127.0.0.1 frr 941 0.0 0.0 9348 5916 ? S<s Aug02 0:00 /usr/lib/frr/staticd -d -F traditional --daemon -A 127.0.0.1 frr 945 0.0 0.0 9452 5312 ? S<s Aug02 0:01 /usr/lib/frr/bfdd -d -F traditional --daemon -A 127.0.0.1
In order to lower available attacksurfaces but also to better utilize available hardware (mainly CPU and RAM) for services who are enabled then services who is not enabled by the configuration should remain shutdown until they are really needed.
In short, dont have services running who are not being used.
Of above I estimate that only watchfrr, zebra and staticd should be enabled by default - the rest should only be enabled when needed (aka configured in VyOS config-mode).
It seems like it is /etc/frr/daemons that defines which services should be runned (and monitored) or not but Im not sure this is correct file in VyOS case since that file also says "watchfrr_enable=no" which isnt true since watchfrr do run by default.
Also note that above change should be tested so that when for example eigrpd is enabled/disabled this shouldnt affect bgpd (who then would need to exchange routes with its peers again).
Ref: Current content of /etc/frr/daemons:
zebra=yes bgpd=yes ospfd=yes ospf6d=yes ripd=yes ripngd=yes isisd=yes pimd=no ldpd=yes nhrpd=no eigrpd=yes babeld=yes sharpd=no pbrd=no bfdd=yes staticd=yes vtysh_enable=yes zebra_options="-s 90000000 --daemon -A 127.0.0.1 -M snmp" bgpd_options="--daemon -A 127.0.0.1 -M snmp -M rpki -M bmp" ospfd_options="--daemon -A 127.0.0.1 -M snmp" ospf6d_options="--daemon -A ::1 -M snmp" ripd_options="--daemon -A 127.0.0.1 -M snmp" ripngd_options="--daemon -A ::1" isisd_options="--daemon -A 127.0.0.1 -M snmp" pimd_options="--daemon -A 127.0.0.1" ldpd_options="--daemon -A 127.0.0.1" nhrpd_options="--daemon -A 127.0.0.1" eigrpd_options="--daemon -A 127.0.0.1" babeld_options="--daemon -A 127.0.0.1" sharpd_options="--daemon -A 127.0.0.1" pbrd_options="--daemon -A 127.0.0.1" staticd_options="--daemon -A 127.0.0.1" bfdd_options="--daemon -A 127.0.0.1" watchfrr_enable=no valgrind_enable=no