An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/avahi/avahi-daemon.conf
avahi-daemon.conf(5)
[publish]
disable-publishing=yes
avahi-daemon
$ sudo systemctl mask --now avahi-daemon.service
abrtd
$ sudo systemctl mask --now abrtd.service
ntpdate
/etc/ntp/step-tickers
/etc/ntp.conf
$ sudo systemctl mask --now ntpdate.service
oddjobd
$ sudo systemctl mask --now oddjobd.service
qpidd
$ sudo systemctl mask --now qpidd.service
rdisc
$ sudo systemctl mask --now rdisc.service
crond
cron
$ sudo systemctl enable cron.service
at
batch
atd
$ sudo systemctl mask --now atd.service
/etc/cron.d
$ sudo chgrp root /etc/cron.d
/etc/cron.daily
$ sudo chgrp root /etc/cron.daily
/etc/cron.hourly
$ sudo chgrp root /etc/cron.hourly
/etc/cron.monthly
$ sudo chgrp root /etc/cron.monthly
/etc/cron.weekly
$ sudo chgrp root /etc/cron.weekly
/etc/crontab
$ sudo chgrp root /etc/crontab
$ sudo chown root /etc/cron.d
$ sudo chown root /etc/cron.daily
$ sudo chown root /etc/cron.hourly
$ sudo chown root /etc/cron.monthly
$ sudo chown root /etc/cron.weekly
$ sudo chown root /etc/crontab
$ sudo chmod 0700 /etc/cron.d
$ sudo chmod 0700 /etc/cron.daily
$ sudo chmod 0700 /etc/cron.hourly
$ sudo chmod 0700 /etc/cron.monthly
$ sudo chmod 0700 /etc/cron.weekly
$ sudo chmod 0600 /etc/crontab
/etc/cron.allow
/etc/at.allow
/etc/cron.deny
/etc/at.deny
cron.allow
cron.deny
$ sudo rm /etc/cron.deny
at.deny
$ sudo rm /etc/at.deny
root
$ sudo chgrp root /etc/at.allow
$ sudo chgrp root /etc/cron.allow
$ sudo chown root /etc/at.allow
$ sudo chown root /etc/cron.allow
0640
$ sudo chmod 0640 /etc/at.allow
$ sudo chmod 0640 /etc/cron.allow
telnet
/etc/sysconfig
dhclient(8)
dhclient.conf(5)
/etc/dhcp/dhclient.conf
supersede setting value;
setting value
request setting; require setting;
setting
supersede domain-name "example.com"; supersede domain-name-servers 192.168.1.2; supersede nis-domain ""; supersede nis-servers ""; supersede ntp-servers "ntp.example.com "; supersede routers 192.168.1.1; supersede time-offset -18000; request subnet-mask; require subnet-mask;
/etc/dhcp/dhcpd.conf
option domain-name option domain-name-servers option nis-domain option nis-servers option ntp-servers option routers option time-offset
named
bind
$ sudo yum erase bind
fanotify
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
iptables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
/etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
userlist_enable=YES userlist_file=/etc/vsftp.ftpusers userlist_deny=NO
/etc/vsftp.ftpusers
USERNAME
anonymous ftp
alternatives
postfix
$ sudo yum install postfix
$ sudo systemctl enable postfix.service
$ sudo echo "root: " >> /etc/aliases $ sudo newaliases
$ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root
/etc/postfix/main.cf
relayhost
relayhost =
inet_interfaces
inet_interfaces =
$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
/etc/fstab
netfs
$ sudo systemctl mask --now netfs.service
rpcbind
$ sudo systemctl mask --now rpcbind.service
all_squash
/etc/exports
ntpd
chronyd
ntp
chrony
Chronyd
Autokey
$ sudo yum install chrony
# systemctl enable chronyd.service
OPTIONS
/etc/sysconfig/chronyd
-u chrony
OPTIONS="-u chrony"
server
Chrony
/etc/chrony.conf
server <remote-server>
rsyncd
$ sudo systemctl mask --now rsyncd.service
xinetd
$ sudo yum erase xinetd
ypbind
sshd
openssh-server
$ sudo yum install openssh-server
$ sudo yum erase openssh-server
/etc/ssh/*_key
/etc/ssh/*.pub
/etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
0600
$ sudo chmod 0644 /etc/ssh/*.pub
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
RekeyLimit
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
UsePrivilegeSeparation
graphical.target
$ sudo yum groupremove "X Window System"
$ sudo yum remove xorg-x11-server-common