An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/avahi/avahi-daemon.conf
avahi-daemon.conf(5)
[publish]
disable-publishing=yes
avahi-daemon
$ sudo systemctl mask --now avahi-daemon.service
crond
cron
$ sudo systemctl enable cron.service
$ sudo systemctl enable crond.service
/etc/cron.d
$ sudo chgrp root /etc/cron.d
/etc/cron.daily
$ sudo chgrp root /etc/cron.daily
/etc/cron.hourly
$ sudo chgrp root /etc/cron.hourly
/etc/cron.monthly
$ sudo chgrp root /etc/cron.monthly
/etc/cron.weekly
$ sudo chgrp root /etc/cron.weekly
/etc/crontab
$ sudo chgrp root /etc/crontab
$ sudo chown root /etc/cron.d
$ sudo chown root /etc/cron.daily
$ sudo chown root /etc/cron.hourly
$ sudo chown root /etc/cron.monthly
$ sudo chown root /etc/cron.weekly
$ sudo chown root /etc/crontab
$ sudo chmod 0700 /etc/cron.d
$ sudo chmod 0700 /etc/cron.daily
$ sudo chmod 0700 /etc/cron.hourly
$ sudo chmod 0700 /etc/cron.monthly
$ sudo chmod 0700 /etc/cron.weekly
$ sudo chmod 0600 /etc/crontab
/etc/cron.allow
/etc/at.allow
/etc/cron.deny
/etc/at.deny
at
cron.allow
cron.deny
$ sudo rm /etc/cron.deny
at.deny
$ sudo rm /etc/at.deny
root
$ sudo chgrp root /etc/at.allow
$ sudo chgrp root /etc/cron.allow
$ sudo chown root /etc/at.allow
$ sudo chown root /etc/cron.allow
0640
$ sudo chmod 0640 /etc/at.allow
$ sudo chmod 0640 /etc/cron.allow
telnet
/etc/sysconfig
dhclient(8)
dhclient.conf(5)
/etc/dhcp/dhclient.conf
supersede setting value;
setting value
request setting; require setting;
setting
supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask;
/etc/dhcp/dhcpd.conf
option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset
dhcpd
$ sudo systemctl mask --now dhcpd.service
named
$ sudo systemctl mask --now named.service
fanotify
vsftpd
$ sudo systemctl mask --now vsftpd.service
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
iptables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
/etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO
/etc/vsftp.ftpusers
USERNAME
anonymous ftp
httpd
$ sudo systemctl mask --now httpd.service
dovecot
$ sudo systemctl mask --now dovecot.service
alternatives
postfix
$ sudo dnf install postfix
$ sudo echo "root: " >> /etc/aliases $ sudo newaliases
$ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root
/etc/postfix/main.cf
relayhost
relayhost =
$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
/etc/fstab
netfs
$ sudo systemctl mask --now netfs.service
rpcbind
$ sudo systemctl mask --now rpcbind.service
nfs
rpcsvcgssd
nfs-server
$ sudo systemctl mask --now nfs-server.service
all_squash
/etc/exports
ntpd
chronyd
ntp
chrony
Chronyd
Autokey
$ sudo dnf install chrony
# systemctl enable chronyd.service
server
Chrony
/etc/chrony.conf
server <remote-server>
rsyncd
$ sudo systemctl mask --now rsyncd.service
ypserv
$ sudo systemctl mask --now ypserv.service
/etc/hosts.equiv
~/.rhosts
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
cups
$ sudo systemctl mask --now cups.service
squid
$ sudo systemctl mask --now squid.service
samba-client
samba
smb
$ sudo systemctl mask --now smb.service
snmpd
$ sudo systemctl mask --now snmpd.service
sshd
openssh-server
$ sudo dnf install openssh-server
$ sudo dnf remove openssh-server
/etc/ssh/sshd_config
$ sudo chgrp root /etc/ssh/sshd_config
/etc/ssh/*_key
/etc/ssh/*.pub
$ sudo chown root /etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
0600
$ sudo chmod 0644 /etc/ssh/*.pub
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
RekeyLimit
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
UsePrivilegeSeparation