An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/avahi/avahi-daemon.conf
avahi-daemon.conf(5)
[publish]
disable-publishing=yes
abrtd
$ sudo systemctl mask --now abrtd.service
ntpdate
/etc/ntp/step-tickers
/etc/ntp.conf
$ sudo systemctl mask --now ntpdate.service
oddjobd
$ sudo systemctl mask --now oddjobd.service
qpidd
$ sudo systemctl mask --now qpidd.service
rdisc
$ sudo systemctl mask --now rdisc.service
crond
cron
$ sudo systemctl enable cron.service
at
batch
atd
$ sudo systemctl mask --now atd.service
telnet
/etc/sysconfig
dhclient(8)
dhclient.conf(5)
/etc/dhcp/dhclient.conf
supersede setting value;
setting value
request setting; require setting;
setting
supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask;
/etc/dhcp/dhcpd.conf
option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset
named
bind
$ sudo yum erase bind
fanotify
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
iptables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
/etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO
/etc/vsftp.ftpusers
USERNAME
anonymous ftp
alternatives
postfix
$ sudo yum install postfix
$ sudo echo "root: " >> /etc/aliases $ sudo newaliases
$ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root
/etc/postfix/main.cf
relayhost
relayhost =
$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
/etc/fstab
netfs
$ sudo systemctl mask --now netfs.service
all_squash
/etc/exports
ntpd
chronyd
ntp
chrony
Chronyd
Autokey
$ sudo yum install chrony
# systemctl enable chronyd.service
server
Chrony
/etc/chrony.conf
server <remote-server>
/etc/hosts.equiv
~/.rhosts
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
sshd
openssh-server
$ sudo yum install openssh-server
$ sudo yum erase openssh-server
/etc/ssh/*_key
root
/etc/ssh/*.pub
0600
$ sudo chmod 0644 /etc/ssh/*.pub
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
/etc/ssh/sshd_config
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
RekeyLimit
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
UsePrivilegeSeparation