An XCCDF Group - A logical subset of the XCCDF Benchmark
$ mount -t xfs | awk '{print $3}'
$ sudo chmod +t DIR
sysfs
procfs
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
passwd
shadow
group
gshadow
/etc/group-
$ sudo chgrp root /etc/group-
/etc/gshadow-
$ sudo chgrp root /etc/gshadow-
/etc/passwd-
$ sudo chgrp root /etc/passwd-
/etc/shadow-
$ sudo chgrp root /etc/shadow-
/etc/group
$ sudo chgrp root /etc/group
/etc/gshadow
$ sudo chgrp root /etc/gshadow
/etc/passwd
$ sudo chgrp root /etc/passwd
/etc/shadow
$ sudo chgrp root /etc/shadow
$ sudo chown root /etc/group-
$ sudo chown root /etc/gshadow-
$ sudo chown root /etc/passwd-
$ sudo chown root /etc/shadow-
$ sudo chown root /etc/group
$ sudo chown root /etc/gshadow
$ sudo chown root /etc/passwd
$ sudo chown root /etc/shadow
$ sudo chmod 0644 /etc/group-
$ sudo chmod 0000 /etc/gshadow-
$ sudo chmod 0644 /etc/passwd-
$ sudo chmod 0000 /etc/shadow-
$ sudo chmod 0644 /etc/group
$ sudo chmod 0000 /etc/gshadow
$ sudo chmod 0644 /etc/passwd
$ sudo chmod 0000 /etc/shadow
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/audispd root /sbin/augenrules root
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/audispd root /sbin/augenrules root
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 755 /sbin/autrace 755 /sbin/auditd 755 /sbin/audispd 755 /sbin/augenrules 755
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
/etc/modprobe.d
cramfs
/etc/modprobe.d/cramfs.conf
install cramfs /bin/false
freevxfs
/etc/modprobe.d/freevxfs.conf
install freevxfs /bin/false
hfs
/etc/modprobe.d/hfs.conf
install hfs /bin/false
hfsplus
/etc/modprobe.d/hfsplus.conf
install hfsplus /bin/false
jffs2
/etc/modprobe.d/jffs2.conf
install jffs2 /bin/false
squashfs
/etc/modprobe.d/squashfs.conf
install squashfs /bin/false
udf
/etc/modprobe.d/udf.conf
install udf /bin/false
usb-storage
/etc/modprobe.d/usb-storage.conf
install usb-storage /bin/false
modprobe
insmod
/etc/fstab
nodev
/dev/shm
noexec
nosuid
/home
/dev
/tmp
/var/log/audit
/var/log
/var
/var/tmp
kernel.yama.ptrace_scope
$ sudo sysctl -w kernel.yama.ptrace_scope=1
/etc/sysctl.d
kernel.yama.ptrace_scope = 1
/etc/security/limits.conf
/etc/security/limits.d/
limits.conf
sysctl
fs.suid_dumpable
ProcessSizeMax
[Coredump]
/etc/systemd/coredump.conf
Storage
none
kernel.exec-shield
kernel.randomize_va_space
$ sudo sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2