An XCCDF Group - A logical subset of the XCCDF Benchmark
$ sudo chmod +t DIR
/etc/audit/auditd.conf
$ sudo chmod 0640 /etc/audit/auditd.conf
/etc/audit/rules.d/*.rules
$ sudo chmod 0640 /etc/audit/rules.d/*.rules
/boot/System.map-*
$ sudo chmod 0600 /boot/System.map-*
sysfs
procfs
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
fs.protected_hardlinks
$ sudo sysctl -w fs.protected_hardlinks=1
/etc/sysctl.d
fs.protected_hardlinks = 1
fs.protected_symlinks
$ sudo sysctl -w fs.protected_symlinks=1
fs.protected_symlinks = 1
passwd
shadow
group
gshadow
/etc/group-
$ sudo chgrp root /etc/group-
/etc/gshadow-
$ sudo chgrp root /etc/gshadow-
/etc/passwd-
$ sudo chgrp root /etc/passwd-
/etc/shadow-
$ sudo chgrp root /etc/shadow-
/etc/group
$ sudo chgrp root /etc/group
/etc/gshadow
$ sudo chgrp root /etc/gshadow
/etc/passwd
$ sudo chgrp root /etc/passwd
/etc/shadow
$ sudo chgrp root /etc/shadow
$ sudo chown root /etc/group-
$ sudo chown root /etc/gshadow-
$ sudo chown root /etc/passwd-
$ sudo chown root /etc/shadow-
$ sudo chown root /etc/group
$ sudo chown root /etc/gshadow
$ sudo chown root /etc/passwd
$ sudo chown root /etc/shadow
$ sudo chmod 0644 /etc/group-
$ sudo chmod 0000 /etc/gshadow-
$ sudo chmod 0644 /etc/passwd-
$ sudo chmod 0000 /etc/shadow-
$ sudo chmod 0644 /etc/group
$ sudo chmod 0000 /etc/gshadow
$ sudo chmod 0644 /etc/passwd
$ sudo chmod 0000 /etc/shadow
/var/log
$ sudo chgrp root /var/log
/var/log/messages
$ sudo chgrp root /var/log/messages
/var/log/syslog
$ sudo chgrp adm /var/log/syslog
$ sudo chown root /var/log
$ sudo chown root /var/log/messages
$ sudo chown syslog /var/log/syslog
$ sudo chmod 0755 /var/log
$ sudo chmod 0640 /var/log/messages
$ sudo chmod 0640 /var/log/syslog
/lib /lib64 /usr/lib /usr/lib64
/lib/modules
root
$ sudo chgrp root DIR
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
$ sudo chown root DIR
$ sudo chmod go-w DIR
$ sudo chgrp root FILE
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin
$ sudo chown root FILE
$ sudo chmod go-w FILE
fs.protected_fifos
$ sudo sysctl -w fs.protected_fifos=2
fs.protected_fifos = 2
fs.protected_regular
$ sudo sysctl -w fs.protected_regular=2
fs.protected_regular = 2