Do Not Allow SSH Environment Options
To ensure users are not able to present
environment options to the SSH daemon, add or correct the following line
Ensure auditd Collects File Deletion Events by User
At a minimum the audit system should collect file deletion events
for all users and root. If the 'auditd' daemon is configured to use the
'augenrules' program to read audit rules during daemon startup (the
default), add the following line to a file with suffix '.rules' in the
directory '/etc/audit/rules.d', setting ARCH to either b32 or b64 as
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
The 'rsyslog' daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
Enable auditd Service
The 'auditd' service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
The 'auditd' service can be enabled with the following command:
'$ sudo systemctl enable auditd'
Configure auditd mail_acct Action on Low Disk Space
The 'auditd' service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in '/etc/audit/auditd.conf' to ensure that administrators are notified
via email for those situations:
'action_mail_acct = root'
Disable Certmonger Service (certmonger)
Certmonger is a D-Bus based service that attempts to simplify interaction
with certifying authorities on networks which use public-key infrastructure. It is often
combined with Red Hat's IPA (Identity Policy Audit) security information management
solution to aid in the management of certificates.
The 'certmonger' service can be disabled with the follow ...
Disable ntpdate Service (ntpdate)
The 'ntpdate' service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
'/etc/ntp/step-tickers' or '/etc/ntp.conf'
and then sets the local hardware clock to the newly synchronized
The 'ntpdate' service can be disabled with the following command:
'$ sudo systemctl disable ...
Ensure that the following line exists in
Configure logwatch or other log monitoring tools to summarize error conditions
reported by the dhcpd process.
Disable FTP Uploads if Possible
Is there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.