There are many permission changes I made to the filesystem.
path | mode | reason |
---|---|---|
/proc | o-rx | Prohibit users from viewing processes and services. The mount options for /proc in fstab does not allow to set the mode when mounting, so I have this scripted in an hourly cronjob. |
/sys | o-rx | /sys contains information about the server that users do not need to know. The mount options for /sys in fstab does not allow to set the mode when mounting, so I have this scripted in an hourly cronjob. |
/var/tmp /tmp | o-r | Don’t allow users to see list of other users files but still allow write. |
/run | o-r | /run contains pid files and other information about running services and users do not need to know. |
/ | o-r | Yes. That’s right. The root of the filesystem is not readable for non-root users. They don’t need it. |
/etc /etc/sysctl.conf | o-r | Users don’t need to know what is in /etc. I also removed read access to sysctl.conf. I would have done o-rx on /etc, but there are files that users and services need to read such as passwd, resolv.conf, and group. |
/etc/httpd /etc/sysconfig /etc/yum /etc/yum.repos.d /etc/systemd /etc/wordpress /etc/tmpfiles.d /etc/udev /etc/selinux /etc/security /etc/samba /etc/postfix /etc/modprobe.d /etc/rc.d /etc/nagios /etc/nrpe.d /etc/dovecot /etc/cron* | o-rx | The httpd and wordpress directories are chgrp’d to apache, which is the only account that needs read access. By default, /etc/wordpress contains a world-readable file with database credentials. |
/var /var/log /var/cache /var/lib /var/log/boot.log /var/log/cron* /var/spool /var/spool/anacron /var/spool/mail /var/spool/nagios /var/spool/postfix /var/spool/samba /var/lib/mysql /var/log/wtmp /var/run/utmp /var/log/lastlog | o-r | Many of these should be self-explanatory. This will prevent a hacker from finding information about the system and other users. |
/var/lib/rpm /var/cache/yum /var/db /var/lib/yum /var/lib/rpm-state /var/spool/plymouth /var/www | o-rx | Again, many of these should be self-explanatory. This will prevent a hacker from finding information about the system and other users. The /var/www is chgrp’d to apache. Restricting access to the rpm and yum directories prohibits users from looking at installed packages. |
/dev /dev/shm /dev/mqueue | o-r | Users do not need to know what devices are on the system. /dev/shm and /dev/mqueue are world-writable directories. |
/dev/pts /dev/hugepages /dev/udev | o-rx | More directories that users don’t need access to. The /dev/pts contains tty info of logged-in users. |
/boot | o-rx | Users don’t need to know about the kernel I’m running. |
/media /mnt /srv /opt /home /usr /usr/* /usr/share/man /usr/share/man/* | o-r | More directories that users don’t need read access to. Users can still execute commands in /usr/bin, they just can’t get a listing of the executables. |
/bin/at /bin/chage /bin/chfn /bin/chsh /bin/mount /bin/umount /bin/Xorg /bin/pkexec /bin/newgrp /bin/su /bin/passwd /bin/gpasswd /bin/crontab /sbin/mount.nfs /sbin/pam_timestamp_check /sbin/seunshare /sbin/unix_chkpwd /sbin/userhelper /sbin/usernetctl | u-s | I remove the suid bit from many of the files. Removing the suid from /bin/mount prevents users from seeing mountpoints. If I had other users on the system, I would have kept suid on passwd and crontab. |
/bin/wall /bin/write /bin/locate | g-s | This removes the group suid. Users don’t need to run these. |
In addition to these changes, the logrotate config was modified to prevent rotated files from returning to the default permissions.
In /etc/logrotate.conf, the default create mode for wtmp is 0664. I changed it to 0660. I also added ‘create 0600 root root’ to /etc/logrotate.d/syslog.