Make the auditd Configuration Immutable
Add the following to '/etc/audit/audit.rules' in order
to make the configuration immutable:
With this setting, a reboot will be required to change any
Disable Web Server Configuration Display
The 'info' module creates a web page illustrating the configuration of the web server. This
can create an unnecessary security leak and should be disabled.
If its functionality is unnecessary, comment out the module:
'#LoadModule info_module modules/mod_info.so'
If there is a critical need for this module, use the 'Location' directive to provide
an access ...
Configure SNMP Service to Use Only SNMPv3 or Newer
Edit '/etc/snmp/snmpd.conf', removing any references to 'rocommunity', 'rwcommunity', or 'com2sec'.
Upon doing that, restart the SNMP service:
'$ sudo service snmpd restart'
Enable the SSL flag in /etc/dovecot.conf
To allow clients to make encrypted connections the 'ssl'
flag in Dovecot's configuration file needs to be set to 'yes'.
Edit '/etc/dovecot/conf.d/10-ssl.conf' and add or correct the following line:
'ssl = yes'
Ensure tftp Daemon Uses Secure Mode
If running the 'tftp' service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
'/etc/xinetd.d/tftp' includes '-s' as a command line argument, as shown in
the following example (which is also the default):
'server_args = -s /var/lib/tftpboot'
Configure auditd admin_space_left Action on Low Disk Space
The 'auditd' service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file '/etc/audit/auditd.conf'. Add or modify the following line,
Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
Ensure that no line in '/etc/exports' contains the option 'no_root_squas ...