Nobody should be able to read the root
user's files (which could be dangerous scripts), so it is best to sanitize access rights to his home directory:
chmod 700 /root
The /tmp
directory is usually shared by all users on the system (not if you followed this guide). To prevent your users from reading other users files, you should make sure that they are not allowed to execute binaries within the temporary directory:
/tmp type ext4 (rw,nosuid,nodev,noexec,...)
nosuid, nodev and noexec are the important flags
Lynis
is a security auditing and hardening tool giving some recommendations on how to increase security.
Postfix
reveals some information about the system such as the distro type and used MTA. We can disable that:
nano /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP
Compilers should only be accessible by root
as otherwise all users could compile their own software - probably dangerous software.
chmod 750 /usr/bin/as
chmod 750 /usr/bin/gcc