There are many permission changes I made to the filesystem.
|/proc||o-rx||Prohibit users from viewing processes and services. The mount options for /proc in fstab does not allow to set the mode when mounting, so I have this scripted in an hourly cronjob.|
|/sys||o-rx||/sys contains information about the server that users do not need to know. The mount options for /sys in fstab does not allow to set the mode when mounting, so I have this scripted in an hourly cronjob.|
|/var/tmp /tmp||o-r||Don’t allow users to see list of other users files but still allow write.|
|/run||o-r||/run contains pid files and other information about running services and users do not need to know.|
|/||o-r||Yes. That’s right. The root of the filesystem is not readable for non-root users. They don’t need it.|
|/etc /etc/sysctl.conf||o-r||Users don’t need to know what is in /etc. I also removed read access to sysctl.conf. I would have done o-rx on /etc, but there are files that users and services need to read such as passwd, resolv.conf, and group.|
|/etc/httpd /etc/sysconfig /etc/yum /etc/yum.repos.d /etc/systemd /etc/wordpress /etc/tmpfiles.d /etc/udev /etc/selinux /etc/security /etc/samba /etc/postfix /etc/modprobe.d /etc/rc.d /etc/nagios /etc/nrpe.d /etc/dovecot /etc/cron*||o-rx||The httpd and wordpress directories are chgrp’d to apache, which is the only account that needs read access. By default, /etc/wordpress contains a world-readable file with database credentials.|
|/var /var/log /var/cache /var/lib /var/log/boot.log /var/log/cron* /var/spool /var/spool/anacron /var/spool/mail /var/spool/nagios /var/spool/postfix /var/spool/samba /var/lib/mysql /var/log/wtmp /var/run/utmp /var/log/lastlog||o-r||Many of these should be self-explanatory. This will prevent a hacker from finding information about the system and other users.|
|/var/lib/rpm /var/cache/yum /var/db /var/lib/yum /var/lib/rpm-state /var/spool/plymouth /var/www||o-rx||Again, many of these should be self-explanatory. This will prevent a hacker from finding information about the system and other users. The /var/www is chgrp’d to apache. Restricting access to the rpm and yum directories prohibits users from looking at installed packages.|
|/dev /dev/shm /dev/mqueue||o-r||Users do not need to know what devices are on the system. /dev/shm and /dev/mqueue are world-writable directories.|
|/dev/pts /dev/hugepages /dev/udev||o-rx||More directories that users don’t need access to. The /dev/pts contains tty info of logged-in users.|
|/boot||o-rx||Users don’t need to know about the kernel I’m running.|
|/media /mnt /srv /opt /home /usr /usr/* /usr/share/man /usr/share/man/*||o-r||More directories that users don’t need read access to. Users can still execute commands in /usr/bin, they just can’t get a listing of the executables.|
|/bin/at /bin/chage /bin/chfn /bin/chsh /bin/mount /bin/umount /bin/Xorg /bin/pkexec /bin/newgrp /bin/su /bin/passwd /bin/gpasswd /bin/crontab /sbin/mount.nfs /sbin/pam_timestamp_check /sbin/seunshare /sbin/unix_chkpwd /sbin/userhelper /sbin/usernetctl||u-s||I remove the suid bit from many of the files. Removing the suid from /bin/mount prevents users from seeing mountpoints. If I had other users on the system, I would have kept suid on passwd and crontab.|
|/bin/wall /bin/write /bin/locate||g-s||This removes the group suid. Users don’t need to run these.|
In addition to these changes, the logrotate config was modified to prevent rotated files from returning to the default permissions.
In /etc/logrotate.conf, the default create mode for wtmp is 0664. I changed it to 0660. I also added ‘create 0600 root root’ to /etc/logrotate.d/syslog.