Services

$ sudo systemctl mask --now kdump.service

$ sudo systemctl enable crond.service

$ sudo systemctl enable crond.service

$ sudo chgrp root /etc/cron.d

$ sudo chgrp root /etc/cron.daily

$ sudo chgrp root /etc/cron.deny

$ sudo chgrp root /etc/cron.hourly

$ sudo chgrp root /etc/cron.monthly

$ sudo chgrp root /etc/cron.weekly

$ sudo chgrp root /etc/crontab

$ sudo chown root /etc/cron.d 

$ sudo chown root /etc/cron.daily 

$ sudo chown root /etc/cron.deny 

$ sudo chown root /etc/cron.hourly 

$ sudo chown root /etc/cron.monthly 

$ sudo chown root /etc/cron.weekly 

$ sudo chown root /etc/crontab 

$ sudo chmod 0700 /etc/cron.d

$ sudo chmod 0700 /etc/cron.daily

$ sudo chmod 0700 /etc/cron.hourly

$ sudo chmod 0700 /etc/cron.monthly

$ sudo chmod 0700 /etc/cron.weekly

$ sudo chmod 0600 /etc/crontab

• Remove the cron.deny file:

  $ sudo rm /etc/cron.deny

• Edit /etc/cron.allow, adding one line for each user allowed to use the crontab command to create cron jobs.
• Remove the at.deny file:

  $ sudo rm /etc/at.deny

• Edit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs.

$ sudo dnf remove dnsmasq

$ sudo dnf install fapolicyd

$ sudo systemctl enable fapolicyd.service

$ sudo dnf remove ftp

$ sudo dnf install s-nail

$ sudo dnf remove nfs-utils

$ sudo dnf install chrony

$ sudo systemctl is-active chronyd

active

$ sudo systemctl is-active ntpd

active

server <remote-server>

server <remote-server>

maxpoll 
              

• if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
• if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.

server ntpserver
              

$ sudo chgrp chrony /etc/chrony.keys

$ sudo chown root /etc/chrony.keys 

$ sudo chmod 0640 /etc/chrony.keys

$ sudo dnf remove rsync-daemon

$ sudo systemctl mask --now rsyncd.service

$ sudo systemctl mask --now cups.service

• use only SNMP version 3 security models and enable the use of authentication and encryption
• write access to the MIB (Management Information Base) should be allowed only if necessary
• all access to the MIB should be restricted following a principle of least privilege
• network access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rules
• ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stations
• ensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictive
• ensure that any MIB files' permissions are also 640 or more restrictive

$ sudo dnf install openssh-clients

$ sudo dnf install openssh-server

$ sudo systemctl enable sshd.service

$ sudo chgrp root /etc/ssh/sshd_config

$ sudo chown root /etc/ssh/sshd_config 

$ sudo chmod 0600 /etc/ssh/sshd_config

$ sudo chmod 0644 /etc/ssh/*.pub

~/.ssh

$ sudo dnf install sssd

$ sudo systemctl enable sssd.service

[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

[pam]
pam_cert_auth = True

[pam]
offline_credentials_expiration = 1

$ sudo dnf install usbguard

$ sudo systemctl enable usbguard.service