Filesystem security on mkirby.org

There are many permission changes I made to the filesystem.

path mode    reason
/proc o-rx Prohibit users from viewing processes and services.  The mount options for /proc in fstab does not allow to set the mode when mounting, so I have this scripted in an hourly cronjob.
/sys o-rx /sys contains information about the server that users do not need to know.  The mount options for /sys in fstab does not allow to set the mode when mounting, so I have this scripted in an hourly cronjob.
/var/tmp /tmp o-r Don’t allow users to see list of other users files but still allow write.
/run o-r /run contains pid files and other information about running services and users do not need to know.
/ o-r Yes. That’s right. The root of the filesystem is not readable for non-root users. They don’t need it.
/etc /etc/sysctl.conf o-r Users don’t need to know what is in /etc. I also removed read access to sysctl.conf. I would have done o-rx on /etc, but there are files that users and services need to read such as passwd, resolv.conf, and group.
/etc/httpd /etc/sysconfig /etc/yum /etc/yum.repos.d /etc/systemd /etc/wordpress /etc/tmpfiles.d /etc/udev /etc/selinux /etc/security /etc/samba /etc/postfix /etc/modprobe.d /etc/rc.d /etc/nagios /etc/nrpe.d /etc/dovecot /etc/cron* o-rx The httpd and wordpress directories are chgrp’d to apache, which is the only account that needs read access. By default, /etc/wordpress contains a world-readable file with database credentials.
/var /var/log /var/cache /var/lib /var/log/boot.log /var/log/cron* /var/spool /var/spool/anacron /var/spool/mail /var/spool/nagios /var/spool/postfix /var/spool/samba /var/lib/mysql /var/log/wtmp /var/run/utmp /var/log/lastlog o-r Many of these should be self-explanatory. This will prevent a hacker from finding information about the system and other users.
/var/lib/rpm /var/cache/yum /var/db /var/lib/yum /var/lib/rpm-state /var/spool/plymouth /var/www o-rx Again, many of these should be self-explanatory. This will prevent a hacker from finding information about the system and other users. The /var/www is chgrp’d to apache. Restricting access to the rpm and yum directories prohibits users from looking at installed packages.
/dev /dev/shm /dev/mqueue o-r Users do not need to know what devices are on the system. /dev/shm and /dev/mqueue are world-writable directories.
/dev/pts /dev/hugepages /dev/udev o-rx More directories that users don’t need access to. The /dev/pts contains tty info of logged-in users.
/boot o-rx Users don’t need to know about the kernel I’m running.
/media /mnt /srv /opt /home /usr /usr/* /usr/share/man /usr/share/man/* o-r More directories that users don’t need read access to. Users can still execute commands in /usr/bin, they just can’t get a listing of the executables.
/bin/at /bin/chage /bin/chfn /bin/chsh /bin/mount /bin/umount /bin/Xorg /bin/pkexec /bin/newgrp /bin/su /bin/passwd /bin/gpasswd /bin/crontab /sbin/mount.nfs /sbin/pam_timestamp_check /sbin/seunshare /sbin/unix_chkpwd /sbin/userhelper /sbin/usernetctl u-s I remove the suid bit from many of the files. Removing the suid from /bin/mount prevents users from seeing mountpoints. If I had other users on the system, I would have kept suid on passwd and crontab.
/bin/wall /bin/write /bin/locate g-s This removes the group suid. Users don’t need to run these.

In addition to these changes, the logrotate config was modified to prevent rotated files from returning to the default permissions.
In /etc/logrotate.conf, the default create mode for wtmp is 0664. I changed it to 0660. I also added ‘create 0600 root root’ to /etc/logrotate.d/syslog.