An XCCDF Group - A logical subset of the XCCDF Benchmark
$ mount -t xfs | awk '{print $3}'
$ sudo chmod +t DIR
/boot/System.map-*
$ sudo chmod 0600 /boot/System.map-*
sysfs
procfs
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
fs.protected_hardlinks
$ sudo sysctl -w fs.protected_hardlinks=1
/etc/sysctl.d
fs.protected_hardlinks = 1
fs.protected_symlinks
$ sudo sysctl -w fs.protected_symlinks=1
fs.protected_symlinks = 1
passwd
shadow
group
gshadow
/etc/group-
$ sudo chgrp root /etc/group-
/etc/gshadow-
$ sudo chgrp root /etc/gshadow-
/etc/passwd-
$ sudo chgrp root /etc/passwd-
/etc/shadow-
$ sudo chgrp root /etc/shadow-
/etc/group
$ sudo chgrp root /etc/group
/etc/gshadow
$ sudo chgrp root /etc/gshadow
/etc/passwd
$ sudo chgrp root /etc/passwd
/etc/shadow
$ sudo chgrp root /etc/shadow
$ sudo chown root /etc/group-
$ sudo chown root /etc/gshadow-
$ sudo chown root /etc/passwd-
$ sudo chown root /etc/shadow-
$ sudo chown root /etc/group
$ sudo chown root /etc/gshadow
$ sudo chown root /etc/passwd
$ sudo chown root /etc/shadow
$ sudo chmod 0644 /etc/group-
$ sudo chmod 0000 /etc/gshadow-
$ sudo chmod 0644 /etc/passwd-
$ sudo chmod 0000 /etc/shadow-
$ sudo chmod 0644 /etc/group
$ sudo chmod 0000 /etc/gshadow
$ sudo chmod 0644 /etc/passwd
$ sudo chmod 0000 /etc/shadow
/etc/security/opasswd
$ sudo chown root /etc/security/opasswd
$ sudo chgrp root /etc/security/opasswd
$ sudo chmod 0600 /etc/security/opasswd
/etc/shells
$ sudo chgrp root /etc/shells
$ sudo chown root /etc/shells
$ sudo chmod 0644 /etc/shells
/var/log
$ sudo chgrp root /var/log
/var/log/messages
$ sudo chgrp root /var/log/messages
/var/log/syslog
$ sudo chgrp adm /var/log/syslog
$ sudo chown root /var/log
$ sudo chown root /var/log/messages
$ sudo chown syslog /var/log/syslog
$ sudo chmod 0755 /var/log
$ sudo chmod 0640 /var/log/messages
$ sudo chmod 0640 /var/log/syslog
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
root
$ sudo chown root DIR
/lib /lib64 /usr/lib /usr/lib64
/lib/modules
$ sudo chmod go-w DIR
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin
$ sudo chown root FILE
$ sudo chmod go-w FILE
$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/audispd root /sbin/augenrules root
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/audispd root /sbin/augenrules root
$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 755 /sbin/autrace 755 /sbin/auditd 755 /sbin/audispd 755 /sbin/augenrules 755
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
/etc/modprobe.d
autofs
/misc/cd
/etc/fstab
$ sudo systemctl mask --now autofs.service
nousb
/etc/default/grub
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
cramfs
/etc/modprobe.d/cramfs.conf
install cramfs /bin/true
blacklist cramfs
freevxfs
/etc/modprobe.d/freevxfs.conf
install freevxfs /bin/true
blacklist freevxfs
hfs
/etc/modprobe.d/hfs.conf
install hfs /bin/true
blacklist hfs
hfsplus
/etc/modprobe.d/hfsplus.conf
install hfsplus /bin/true
blacklist hfsplus
jffs2
/etc/modprobe.d/jffs2.conf
install jffs2 /bin/true
blacklist jffs2
squashfs
/etc/modprobe.d/squashfs.conf
install squashfs /bin/true
blacklist squashfs
udf
/etc/modprobe.d/udf.conf
install udf /bin/true
blacklist udf
usb-storage
/etc/modprobe.d/usb-storage.conf
install usb-storage /bin/true
blacklist usb-storage
modprobe
insmod
vfat
/etc/modprobe.d/vfat.conf
install vfat /bin/true
blacklist vfat
vFAT
FAT12
FAT16
FAT32
noauto
/boot
nodev
/dev
noexec
nosuid
/dev/shm
grpquota
/home
usrquota
/opt
hidepid
/proc
/proc/[pid]
0: Everybody may access all /proc/[pid] directories. 1: Users may not access files and subdirectories inside any /proc/[pid] directories but their own. The /proc/[pid] directories themselves remain visible. 2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other users become invisible.
hidepid=2
/srv
/tmp
/var/log/audit
/var
/var/tmp
/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0
mount(8)
/etc/permissions.local
chkstat
kernel.dmesg_restrict
$ sudo sysctl -w kernel.dmesg_restrict=1
kernel.dmesg_restrict = 1
kernel.kexec_load_disabled
$ sudo sysctl -w kernel.kexec_load_disabled=1
kernel.kexec_load_disabled = 1
kernel.modules_disabled
$ sudo sysctl -w kernel.modules_disabled=1
kernel.modules_disabled = 1
kernel.panic_on_oops
$ sudo sysctl -w kernel.panic_on_oops=1
kernel.panic_on_oops = 1
kernel.perf_cpu_time_max_percent
$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1
kernel.perf_cpu_time_max_percent = 1
kernel.perf_event_max_sample_rate
$ sudo sysctl -w kernel.perf_event_max_sample_rate=1
kernel.perf_event_max_sample_rate = 1
kernel.perf_event_paranoid
$ sudo sysctl -w kernel.perf_event_paranoid=2
kernel.perf_event_paranoid = 2
kernel.pid_max
$ sudo sysctl -w kernel.pid_max=65536
kernel.pid_max = 65536
kernel.sysrq
$ sudo sysctl -w kernel.sysrq=0
kernel.sysrq = 0
kernel.yama.ptrace_scope
$ sudo sysctl -w kernel.yama.ptrace_scope=1
kernel.yama.ptrace_scope = 1
vm.mmap_min_addr
$ sudo sysctl -w vm.mmap_min_addr=65536
vm.mmap_min_addr = 65536
/etc/security/limits.conf
/etc/security/limits.d/
limits.conf
sysctl
fs.suid_dumpable
ProcessSizeMax
[Coredump]
/etc/systemd/coredump.conf
Storage
none
* hard core 0
$ sudo sysctl -w fs.suid_dumpable=0
fs.suid_dumpable = 0
/etc/init.d/functions
077
022
umask
kernel.exec-shield
kernel.randomize_va_space
kernel.kptr_restrict
$ sudo sysctl -w kernel.kptr_restrict=
kernel.kptr_restrict =
$ sudo sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2
kernel-PAE
$ sudo yum install kernel-PAE
slub_debug
page_poison=1
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
# grubby --update-kernel=ALL --args="page_poison=1"
slub_debug=
GRUB_CMDLINE_LINUX="... slub_debug= ..."
# grubby --update-kernel=ALL --args="slub_debug="