An XCCDF Group - A logical subset of the XCCDF Benchmark
$ mount -t xfs | awk '{print $3}'
$ sudo chmod +t DIR
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
root
$ sudo chgrp root DIR
$ sudo chown root DIR
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
passwd
shadow
group
gshadow
/etc/security/opasswd
$ sudo chown root /etc/security/opasswd
$ sudo chgrp root /etc/security/opasswd
$ sudo chmod 0600 /etc/security/opasswd
/lib /lib64 /usr/lib /usr/lib64
/lib/modules
$ sudo chmod go-w DIR
$ sudo chgrp root FILE
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin
$ sudo chown root FILE
$ sudo chmod go-w FILE
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
/etc/modprobe.d
autofs
/misc/cd
/etc/fstab
$ sudo systemctl mask --now autofs.service
usb-storage
/etc/modprobe.d/usb-storage.conf
install usb-storage /bin/false
modprobe
insmod
nosuid
/home
/etc/permissions.local
chkstat
/var/log/messages
$ sudo chmod 0640 /var/log/messages
# grep -i messages /etc/permissions.local /var/log/messages root:root 640
grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750
# grep -i audit /etc/permissions.local /var/log/audit/ root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640
kernel.dmesg_restrict
$ sudo sysctl -w kernel.dmesg_restrict=1
/etc/sysctl.d
kernel.dmesg_restrict = 1
sysctl
kernel.exec-shield
kernel.randomize_va_space
kernel.kptr_restrict
$ sudo sysctl -w kernel.kptr_restrict=
kernel.kptr_restrict =
$ sudo sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2