An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/avahi/avahi-daemon.conf
avahi-daemon.conf(5)
[publish]
disable-publishing=yes
kdump
kexec
$ sudo systemctl mask --now kdump.service
crond
cron
$ sudo systemctl enable cron.service
$ sudo systemctl enable crond.service
/etc/cron.d
$ sudo chgrp root /etc/cron.d
/etc/cron.daily
$ sudo chgrp root /etc/cron.daily
/etc/cron.hourly
$ sudo chgrp root /etc/cron.hourly
/etc/cron.monthly
$ sudo chgrp root /etc/cron.monthly
/etc/cron.weekly
$ sudo chgrp root /etc/cron.weekly
/etc/crontab
$ sudo chgrp root /etc/crontab
$ sudo chown root /etc/cron.d
$ sudo chown root /etc/cron.daily
$ sudo chown root /etc/cron.hourly
$ sudo chown root /etc/cron.monthly
$ sudo chown root /etc/cron.weekly
$ sudo chown root /etc/crontab
$ sudo chmod 0700 /etc/cron.d
$ sudo chmod 0700 /etc/cron.daily
$ sudo chmod 0700 /etc/cron.hourly
$ sudo chmod 0700 /etc/cron.monthly
$ sudo chmod 0700 /etc/cron.weekly
$ sudo chmod 0600 /etc/crontab
/etc/cron.allow
/etc/at.allow
/etc/cron.deny
/etc/at.deny
at
cron.allow
cron.deny
$ sudo rm /etc/cron.deny
at.deny
$ sudo rm /etc/at.deny
root
$ sudo chgrp root /etc/cron.allow
$ sudo chown root /etc/cron.allow
telnet
/etc/sysconfig
dhclient(8)
dhclient.conf(5)
/etc/dhcp/dhclient.conf
supersede setting value;
setting value
request setting; require setting;
setting
supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask;
/etc/dhcp/dhcpd.conf
option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset
named
bind
$ sudo yum erase bind
fanotify
vsftpd
$ sudo yum erase vsftpd
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
iptables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
/etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO
/etc/vsftp.ftpusers
USERNAME
anonymous ftp
system-config-authentication
openldap-clients
$ sudo yum erase openldap-clients
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
USELDAPAUTH=yes
USELDAPAUTH
yes
$ sudo grep -i ssl /etc/pam_ldap.conf
alternatives
postfix
$ sudo yum install postfix
$ sudo echo "root: " >> /etc/aliases $ sudo newaliases
$ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root
/etc/postfix/main.cf
relayhost
relayhost =
$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
/etc/fstab
netfs
$ sudo systemctl mask --now netfs.service
nfs
nfs4
,nodev,nosuid
,noexec
nodev
noexec
nosuid
all_squash
/etc/exports
sec=krb5:krb5i:krb5p
ntpd
chronyd
ntp
chrony
Chronyd
Autokey
$ sudo yum install chrony
# systemctl enable chronyd.service
$ sudo systemctl is-active chronyd
active
$ sudo systemctl is-active ntpd
$ sudo systemctl enable ntpd.service
maxpoll
/etc/ntp.conf
/etc/chrony.conf
/etc/chrony.d/
server
pool
peer
server ntpserver
Chrony
server <remote-server>
rsyncd
$ sudo systemctl mask --now rsyncd.service
xinetd
$ sudo yum erase xinetd
$ sudo systemctl mask --now xinetd.service
ypbind
ypserv
$ sudo yum erase ypserv
$ sudo systemctl mask --now ypbind.service
rsh-server
$ sudo yum erase rsh-server
rsh
rexec
disable
/etc/xinetd.d/rexec
$ sudo systemctl mask --now rexec.socket
rlogin
/etc/xinetd.d/rlogin
$ sudo systemctl mask --now rlogin.socket
/etc/xinetd.d/rsh
$ sudo systemctl mask --now rsh.socket
shosts.equiv
$ sudo rm /[path]/[to]/[file]/shosts.equiv
/etc/hosts.equiv
~/.rhosts
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
~/.shosts
$ sudo find / -name '.shosts' -type f -delete
talk-server
$ sudo yum erase talk-server
talk
$ sudo yum erase talk
telnet-server
$ sudo yum erase telnet-server
$ sudo systemctl mask --now telnet.socket
tftp-server
$ sudo yum erase tftp-server
/etc/xinetd.d/tftp
-s
server_args = -s
zebra
$ sudo systemctl mask --now zebra.service
samba-client
samba
/etc/samba/smb.conf
[global]
samba-common
$ sudo yum install samba-common
net-snmp
$ sudo yum erase net-snmp
sshd
openssh-server
$ sudo yum install openssh-server
$ sudo yum erase openssh-server
$ sudo systemctl enable sshd.service
/etc/ssh/sshd_config
$ sudo chgrp root /etc/ssh/sshd_config
/etc/ssh/*_key
/etc/ssh/*.pub
$ sudo chown root /etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
0600
$ sudo chmod 0644 /etc/ssh/*.pub
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
firewalld
ssh
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
RekeyLimit
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
UsePrivilegeSeparation
sssd-ipa
$ sudo yum install sssd-ipa
pam
services
[sssd]
/etc/sssd/sssd.conf
[sssd] services = sudo, autofs, pam
pam_cert_auth
True
[pam]
[pam] pam_cert_auth = True
memcache_timeout
[nss]
[nss] memcache_timeout =
offline_credentials_expiration
1
[pam] offline_credentials_expiration = 1
ssh_known_hosts_timeout
[ssh]
[ssh] ssh_known_hosts_timeout =
usbguard
$ sudo yum install usbguard
graphical.target
$ sudo yum groupremove base-x
$ sudo yum remove xorg-x11-server-common
multi-user.target
$ systemctl set-default multi-user.target
Removed symlink /etc/systemd/system/default.target. Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.