An XCCDF Group - A logical subset of the XCCDF Benchmark
$ mount -t xfs | awk '{print $3}'
$ sudo chmod +t DIR
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
root
$ sudo chgrp root DIR
$ sudo chown root DIR
/etc/crypttab
$ sudo chgrp root /etc/crypttab
/boot/System.map*
$ sudo chgrp root /boot/System.map*
$ sudo chown root /etc/crypttab
$ sudo chown root /boot/System.map*
$ sudo chmod 0600 /etc/crypttab
$ sudo chmod 0600 /boot/System.map*
sysfs
procfs
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
fs.protected_fifos
$ sudo sysctl -w fs.protected_fifos=2
/etc/sysctl.d
fs.protected_fifos = 2
fs.protected_hardlinks
$ sudo sysctl -w fs.protected_hardlinks=1
fs.protected_hardlinks = 1
fs.protected_regular
$ sudo sysctl -w fs.protected_regular=2
fs.protected_regular = 2
fs.protected_symlinks
$ sudo sysctl -w fs.protected_symlinks=1
fs.protected_symlinks = 1
passwd
shadow
group
gshadow
/etc/group
$ sudo chgrp root /etc/group
/etc/gshadow
$ sudo chgrp root /etc/gshadow
/etc/passwd
$ sudo chgrp root /etc/passwd
/etc/shadow
$ sudo chgrp root /etc/shadow
/etc/shells
$ sudo chgrp root /etc/shells
$ sudo chown root /etc/group
$ sudo chown root /etc/gshadow
$ sudo chown root /etc/passwd
$ sudo chown root /etc/shadow
$ sudo chown root /etc/shells
$ sudo chmod 0644 /etc/group
$ sudo chmod 0000 /etc/gshadow
$ sudo chmod 0644 /etc/passwd
$ sudo chmod 0000 /etc/shadow
$ sudo chmod 0644 /etc/shells
$ sudo chgrp root /etc/sysctl.d
$ sudo chown root /etc/sysctl.d
$ sudo chmod 0755 /etc/sysctl.d
$ sudo chgrp root FILE
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin
$ sudo chown root FILE
$ sudo chmod go-w FILE
/etc/fstab
noexec
/boot
nosuid
/home
nodev
/dev
/opt
/srv
/tmp
/var/log
/var
/var/tmp
kernel.dmesg_restrict
$ sudo sysctl -w kernel.dmesg_restrict=1
kernel.dmesg_restrict = 1
kernel.modules_disabled
$ sudo sysctl -w kernel.modules_disabled=1
kernel.modules_disabled = 1
kernel.panic_on_oops
$ sudo sysctl -w kernel.panic_on_oops=1
kernel.panic_on_oops = 1
kernel.perf_cpu_time_max_percent
$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1
kernel.perf_cpu_time_max_percent = 1
kernel.perf_event_max_sample_rate
$ sudo sysctl -w kernel.perf_event_max_sample_rate=1
kernel.perf_event_max_sample_rate = 1
kernel.perf_event_paranoid
$ sudo sysctl -w kernel.perf_event_paranoid=2
kernel.perf_event_paranoid = 2
kernel.pid_max
$ sudo sysctl -w kernel.pid_max=65536
kernel.pid_max = 65536
kernel.sysrq
$ sudo sysctl -w kernel.sysrq=0
kernel.sysrq = 0
kernel.unprivileged_bpf_disabled
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
kernel.unprivileged_bpf_disabled = 1
kernel.yama.ptrace_scope
$ sudo sysctl -w kernel.yama.ptrace_scope=1
kernel.yama.ptrace_scope = 1
net.core.bpf_jit_harden
$ sudo sysctl -w net.core.bpf_jit_harden=2
net.core.bpf_jit_harden = 2
vm.mmap_min_addr
$ sudo sysctl -w vm.mmap_min_addr=65536
vm.mmap_min_addr = 65536
/etc/security/limits.conf
/etc/security/limits.d/
limits.conf
sysctl
fs.suid_dumpable
$ sudo sysctl -w fs.suid_dumpable=0
fs.suid_dumpable = 0
kernel.exec-shield
kernel.randomize_va_space
kernel.kptr_restrict
$ sudo sysctl -w kernel.kptr_restrict=
kernel.kptr_restrict =
$ sudo sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2
slub_debug
page_poison=1
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_poison=1"
slub_debug=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug="