There is a proprietary document about system hardening/security standard stating that group users, nogroup, other, and some other groups should not contain any user except system administrators. I've found an explanation about nogroup group [here](https://unix.stackexchange.com/questions/22520/what-is-nogroup-groups-purpose) . What about the users and other groups and what are they for? Why regular (non-administrator) users should not be member of these groups? Distro is, RHEL (Red Hat Enterprise Linux)

I’m trying to understand how cgroup namespaces work, but I’m stuck on something that doesn’t make sense to me. My understanding is that a cgroup namespace should virtualize the cgroup hierarchy for a process, so that the process sees its current cgroup as / and doesn’t see the full host hierarchy. So I tried to create a cgroup namespace like this:

sudo unshare --cgroup

cat /proc/self/cgroup
0::/

echo $$
3183

Then, from another terminal on the host, I checked the cgroup for that process:

cat /proc/3183/cgroup 
0::/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-ffe09412-f0d6-413e-b480-6d14f1290f84.scope

This matches what the man page says:

Cgroup namespaces virtualize the view of a process's cgroups (see cgroups(7)) as seen via /proc/[pid]/cgroup and /proc/[pid]/mountinfo.

Each cgroup namespace has its own set of cgroup root directories.
These root directories are the base points for the relative locations displayed in the corresponding records in the /proc/[pid]/cgroup file.

However, when I create a new cgroup inside my cgroup namespace, it appears in the host’s hierarchy too:

# Inside the namespace:
mkdir /sys/fs/cgroup/test

# On the host:
ls /sys/fs/cgroup/
...
test
...

So it seems that the entire host hierarchy is still visible and any new cgroup I make is visible system-wide. There’s no real isolation — from inside the namespace I can still see and modify all the host’s cgroups. I also tried combining it with a user namespace to avoid sudo but the result is the same:

unshare --map-root-user
unshare --cgroup
ls /sys/fs/cgroup/

Again, I see the full host hierarchy. So my questions are: - Am I misunderstanding how cgroup namespaces are supposed to work? - Is the cgroup namespace not designed to isolate the entire hierarchy like mount or PID namespaces do? - Is there a correct way to use them to limit what cgroups are visible or writable? Any clarification would be really appreciated!

I’m seeking practical recommendations and tools to improve the security of my Linux server (CentOS) and minimize unauthorized access. I’m interested in both fundamental and advanced solutions that can be easily integrated and configured. Specifically, I need: * Protection Against Unauthorized Access: What tools and practices are most effective for preventing hacking and intrusion into the server? This includes authentication methods (e.g., two-factor authentication) and tools for monitoring activity and detecting suspicious behavior. What I’ve Tried: I experimented with SELinux, but when attempting to set the strictest security level (“military level”), the server failed to boot after rebooting. I likely made a configuration error. I would appreciate detailed guidance on correctly configuring SELinux, or alternative approaches to kernel-level security hardening. What Kind of Answers I’m Looking For: * Recommendations for specific tools, including open-source alternatives. * Detailed instructions on how to configure and use these tools. * Example configurations for different security levels (from basic to advanced). * Alternatives to SELinux for kernel-level security enhancement.

Setting [PrivateIPC=true](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateIPC=) in a user systemd service causes following to be printed in journal:

(myservice): myservice.service: PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: Operation not permitted
(myservice): myservice.service: Failed to set up mount namespacing: /dev/mqueue: Operation not permitted
(myservice): myservice.service: Failed at step NAMESPACE spawning myservice: Operation not permitted

The linked documentation above mentions > This option is only available for system services, or for services running in per-user instances of the service manager in which case PrivateUsers= is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the "kernel.unprivileged_userns_clone=" sysctl)

$ cat /proc/sys/kernel/unprivileged_userns_clone
1

Also other settings with the same caveat, e.g. [PrivateNetwork](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=) , seem to work. What gives - why are the errors above shown?

The goal is to create a generic sandboxing systemd .conf file to be included as a snippet to application unit files in order to harden/sandbox them. One major requirement is to block the application all network access to the outside world, and preferably also locally. One option is setting [PrivateNetwork=true](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=) , but this breaks the graphical applications that no longer are able to connect to xserver:

Warning: [qt.qpa.xcb] QtWarning: could not connect to display :0
Warning: [qt.qpa.plugin] QtWarning: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin

Is there a way to use PrivateNetwork with GUI programs? --- As an alternative I'm considering following two settings:

# restricts the network interfaces that processes of this unit can use:
RestrictNetworkInterfaces=lo
# block all network traffic, including localhost:
IPAddressDeny=any

Is this alternative good enough for my requirement? Is PrivateNetwork still even required with these settings?

This is about a cPanel server which, like most servers, is under constant attack from lands afar. Considering that I only host to clients in the US and Canada, there is less of a reason to allow full access to Asia and South America, among other areas. Too many firewall rules can increase latency, or worse, crash your firewall. Still, due to the large amount of attacks every day, I've configured CSF to manage at most 7000 rules. Some days are lighter than others, but on the 1st, 671 IPs were blocked trying to access SMTP (669) and cPanel (2). To try and get this under better control, I thought about only allowing web access to everyone, and blocking specific large blocks from accessing FTP or SMTP. So, here is what I've placed in the CSF pre-rules [/usr/local/csf/bin/csfpre.sh]. iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 21:25 -s 1.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 2.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 112.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 113.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 117.0.0.0/8 -j DROP iptables -A INPUT -p tcp --dport 21:25 -s 190.0.0.0/8 -j DROP Now, I'm not entirely confident in my iptables skills, so I'd like opinions regarding this and certainly feedback if this is doing something bad. I do realize that this would block a massive amount of potential good email and any web developers in those areas hired to work on sites hosted on the server. My thought is that it is far far less probable that any valid email will be coming from these IP ranges. Also, I chose blocks based on my counts of attacks. Rather than load up the 6000-7000 actual IP blocks for Russia, for instance, I can reduce the firewall rules dramatically and keep it simple by only focusing on wholesale blocking entire Class A blocks. I used this site to examine exactly which countries would be blocked: tcpiputils.com

After entering an incorrect password at a login prompt, there s an approximately 3-second delay. How can I change that on a Linux system with PAM?

According to the documenation of the kernel parameters kexec_load_disabled , > This value defaults to 0 (false: kexec_load enabled), but can be set > to 1 (true: kexec_load disabled). Once true, kexec can no longer be > used, and the toggle cannot be set back to false. What this documentation says is that if this parameter is set to true, i.e. 1, then once the kernel is loaded it cannot be unloaded at runtime and a new kernel loaded in its place. So if kernel 6.10.13 is installed on the machine with the kernel parameter kexec_load_disabled set to 1, will it impact the upgrade of the kernel to ver 6.11.2? Will it prevent it even after a reboot? Also this parameter if set to true does not prevent entries being manipulated in the boot loader like GRUB. So in GRUB an entry can be made to load some other kernel version. Is my understanding correct?

As a rule in the Debian 10 hardening guide, and various other audit guides of the Center for Internet Security (CIS), setting the use_pty sudoers option is recommended for the following rationale: > Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing. In the sudoers man page, it is described that running a background process that retains access to the user's terminal after the main process has finished executing is no longer possible when the commands are run in a separate pseudo-terminal. I don't really grasp the nuance here. What does it mean to run the sudo command in a *separate pseudo-terminal*, and why is the background process attack no longer possible when this flag is set? What other ramifications does setting use_pty have? Thank you!

I have "inherited" a CentOS 7 server on which xinetd is automatically started at boot. My task is to harden that server. Therefore I am wondering whether I can disable the xinetd service. However, this is a production machine which limits my freedom to try out things. I might break something while trying but I should not. So: How can I detect whether the xinetd is necessary? Which other daemons/services are configured to be started by it (I suppose that's easy, look at /etc/xinetd.d files)? Which of these have ever been started and are actively used / needed? The files in /etc/xinetd.d might just be historical or from OS packages so these may not reflect needed services. Nevertheless, here is a listing of that directory: root@server.example.org:/root -> ll /etc/xinetd.d/ total 52 -rw-------. 1 root root 1157 Apr 1 2020 chargen-dgram -rw-------. 1 root root 1159 Apr 1 2020 chargen-stream -rw-r--r--. 1 root root 2256 Aug 1 2018 check_mk -rw-------. 1 root root 1157 Apr 1 2020 daytime-dgram -rw-------. 1 root root 1159 Apr 1 2020 daytime-stream -rw-------. 1 root root 1157 Apr 1 2020 discard-dgram -rw-------. 1 root root 1159 Apr 1 2020 discard-stream -rw-------. 1 root root 1148 Apr 1 2020 echo-dgram -rw-------. 1 root root 1150 Apr 1 2020 echo-stream -rw-------. 1 root root 1212 Apr 1 2020 tcpmux-server -rw-r--r--. 1 root root 518 Apr 11 2018 tftp -rw-------. 1 root root 1149 Apr 1 2020 time-dgram -rw-------. 1 root root 1150 Apr 1 2020 time-stream PS: I know, at some point I will have to upgrade the OS itself but first things first. Additional info: The server is serving home directories to a couple of clients by NFS, acts as a router for these and forwards active directory (AD) requests. In fact, the AD functionality is the main reason I am unsure what is needed because I have yet to understand the AD communication protocol (and client/proxy/routing prerequisites). Which services might xinetd be configured for? Perhaps this output helps? root@server.example.org:/root -> netstat -tulpan | grep xinet Exit 1 root@server.example.org:/root -> lsof -c xinetd -ai Exit 1 None? I believe I have had processes not showing up in netstat and still react to incoming requests, perhaps by systemd or (x)inetd. Let's ask /proc: root@server.example.org:/root -> cat /proc/pidof xinetd/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 0100007F:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 36323 1 ffff9012125b07c0 100 0 0 10 0 1: 00000000:007A 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 36262 1 ffff9012125b0000 100 0 0 10 0 2: 00000000:199C 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 23844 1 ffff90125ca70000 100 0 0 10 0 3: 00000000:A7E1 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 34529 1 ffff901211c58f80 100 0 0 10 0 4: 00000000:0801 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 34515 1 ffff901211c587c0 100 0 0 10 0 5: 00000000:006F 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 28319 1 ffff90125d6b0000 100 0 0 10 0 6: 00000000:4E50 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 18419 1 ffff901212658000 100 0 0 10 0 7: 00000000:EB51 00000000:0000 0A 00000000:00000000 00:00000000 00000000 29 0 34497 1 ffff901211c58000 100 0 0 10 0 8: A13B2BAD:007A 8AB45373:AD92 01 00000000:00000000 02:0009786D 00000000 0 0 70547 3 ffff901211c5ec80 23 4 29 10 -1 root@server.example.org:/root -> cat /proc/pidof xinetd/net/udp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops 143: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 29194 2 ffff90125f4f9100 0 144: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 36283 2 ffff90125a9a8000 0 144: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 37049 2 ffff901252cc8000 0 145: 00000000:0045 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 23877 2 ffff90125b659100 0 187: 00000000:006F 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 28317 2 ffff90125b118880 0 199: 00000000:007B 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 28979 2 ffff90125f4f8cc0 0 399: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 28977 2 ffff90125f4f8880 0 779: 0100007F:02BF 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 34483 2 ffff900a63b51100 0 934: 00000000:035A 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 28318 2 ffff90125b118cc0 0 2125: 00000000:0801 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 34525 2 ffff900a63b50440 0 3740: 00000000:4E50 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 18417 2 ffff9012510e8440 0 8222: 00000000:DFD2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 34528 2 ffff900a63b50880 0 8548: 00000000:2118 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 36299 2 ffff90125a9a8440 0 9933: 00000000:E681 00000000:0000 07 00000000:00000000 00:00000000 00000000 29 0 34494 2 ffff900a63b50000 0 So, there are actually many ports it listens to? Now chkconfig output: root@server.example.org:/root -> chkconfig --list |& awk '/xinetd based services/,/""/' xinetd based services: chargen-dgram: off chargen-stream: off check_mk: on daytime-dgram: off daytime-stream: off discard-dgram: off discard-stream: off echo-dgram: off echo-stream: off tcpmux-server: off tftp: off time-dgram: off time-stream: off

Let's assume that I have created a linux image with a filesystem that is inherently readonly (like SquashFS) and disabled swap. From readonly I mean the main filesystem and all its content is readonly and it is mounted readonly as well, and only directories that need to be writable such as /tmp is redirected to another writable storage/partition. Now my question is that if someone has a full root access on this system, is it possible that he somehow spoof accessing files in readonly part or not? For example, if a.so is in readonly part, is it possible that all access to this file is redirected to another file? He can copy any file on the writable section of system or run them with root permission. Best Regards

I'm trying to figure out what services my university Ubuntu 22.04 computer needs to provide to other machines. I often ssh into this machine and other computers in my lab use it as an NFS server. I can't think of any other services the machine needs to provide, however. As a result, I'm trying to harden the computer by shutting down unnecessary services. Unfortunately given my knowledge of linux services and ports, I'm not sure which are necessary or not. If I run $ netstat -A inet --listening Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:37725 0.0.0.0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:42757 0.0.0.0:* LISTEN tcp 0 0 localhost:51144 0.0.0.0:* LISTEN tcp 0 0 localhost:17603 0.0.0.0:* LISTEN tcp 0 0 localhost:17600 0.0.0.0:* LISTEN tcp 0 0 localhost:12546 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:56703 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:56607 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:db-lsp 0.0.0.0:* LISTEN tcp 0 0 localhost:44911 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:58017 0.0.0.0:* LISTEN tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN tcp 0 0 localhost:32997 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:17500 0.0.0.0:* udp 0 0 0.0.0.0:53815 0.0.0.0:* udp 0 0 0.0.0.0:55047 0.0.0.0:* udp 0 0 0.0.0.0:57529 0.0.0.0:* udp 0 0 localhost:domain 0.0.0.0:* udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* udp 0 0 localhost:864 0.0.0.0:* udp 0 0 0.0.0.0:33798 0.0.0.0:* udp 0 0 0.0.0.0:35842 0.0.0.0:* udp 0 0 0.0.0.0:36165 0.0.0.0:* udp 0 0 0.0.0.0:mdns 0.0.0.0:* udp 0 0 0.0.0.0:40000 0.0.0.0:* udp 0 0 0.0.0.0:43526 0.0.0.0:* Because I was recently used to amplify a DNS attack, I've stopped the sunrpc service for the moment. My understanding is that I need that service as part of NFS (but my understanding could easily be wrong). 1) Based on my needs, which, if any of these services do I need to be providing to other machines. 2) Of those that I do need to provide, besides fail2ban for ssh connections, what steps do I need to take to harden my machine? This may be an overly broad or naive set of questions, if so any insight will still be greatly appreciated.

I am trying to install nagios in hardened OS CentOS, but I can not: checking for a BSD-compatible install... /usr/bin/install -c checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... configure: error: in `/home/nagios-4.3.2': configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details I already installed all gcc packages, but can not any advice ?

My VPS hosting company injects "extras" into new Debian (and other) VPS images - scripts, network config, telemetry, etc. How can I compare a new VPS against the official image, to see what changes were made by the hosting company?

In an attempt to build GCC (6.3) on NixOS (16.09), within a nix-shell, I get this: make: Entering directory '/coreboot/util/crossgcc/build-i386-elf-GCC/build-x86_64-pc-linux-gnu/libcpp' test -f config.h || (rm -f stamp-h1 && make stamp-h1) g++ -I../../../gcc-6.3.0/libcpp -I. -I../../../gcc-6.3.0/libcpp/../include -I../../../gcc-6.3.0/libcpp/include -O2 -fomit-frame-pointer -m64 -W -Wall -Wno-narrowing -Wwrite-strings -Wmissing-format-attribute -pedantic -Wno-long-long -fno-exceptions -fno-rtti -I../../../gcc-6.3.0/libcpp -I. -I../../../gcc-6.3.0/libcpp/../include -I../../../gcc-6.3.0/libcpp/include -c -o expr.o -MT expr.o -MMD -MP -MF .deps/expr.Tpo ../../../gcc-6.3.0/libcpp/expr.c ../../../gcc-6.3.0/libcpp/expr.c: In function 'unsigned int cpp_classify_number(cpp_reader*, const cpp_token*, const char**, source_location)': ../../../gcc-6.3.0/libcpp/expr.c:686:18: error: format not a string literal and no format arguments [-Werror=format-security] 0, message); ^ ../../../gcc-6.3.0/libcpp/expr.c:689:39: error: format not a string literal and no format arguments [-Werror=format-security] virtual_location, 0, message); ^ cc1plus: some warnings being treated as errors make: *** [Makefile:224: expr.o] Error 1 make: Leaving directory '/coreboot/util/crossgcc/build-i386-elf-GCC/build-x86_64-pc-linux-gnu/libcpp' make: *** [Makefile:2730: all-build-libcpp] Error 2 sh ../gcc-6.3.0/mkinstalldirs /coreboot/util/crossgcc/xgcc /coreboot/util/crossgcc/xgcc sh: line 3: cd: i386-elf/libgcc: No such file or directory make: *** [Makefile:10462: install-target-libgcc] Error 1 Where -Werror=format-security seems to be the reason for the failure (although I don't see this exact option in the command). Yet in /pkgs/development/compilers/gcc/6/default.nix I find this: hardeningDisable = [ "format" ]; And guess that the failure may be due to the security hardening measures of NixOS, some of which *have* to be disabled to get GCC compiled (let's assume GCC dev's know what they're doing in those functions). Tested it with GCC 6.2 and 5.4 -- same thing. So the question is how do I disable the hardening options (in particular format) for a nix-shell environment? Or where else those "warnings being treated as errors" come from? Description(s) of the option(s): - https://nixos.org/nixpkgs/manual/#sec-hardening-in-nixpkgs - https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html ----- According to this answer - https://stackoverflow.com/questions/38679630/nixos-setting-options-for-nix-shell nix-shell has nothing to do with the Nix expressions... but when I call make with the NIX_DEBUG flag, env NIX_DEBUG=' ' make crossgcc-i386 I get the output from /pkgs/build-support/cc-wrapper/add-hardening.sh, e.g. HARDENING: enabling format; from what I infer that those "format security" options are actually applied when I call make in the nix-shell. ----- Perhaps I simply need to bump something via nixos-option, but which exactly option? I can't just grep it... (there's no analogue of dconf dump / or gsettings list-recursively)

I'm hardening a Rhel8.6, and I got this report "The sudoedit program must be used when edit privileges are required.." The directory reported is /etc/sudoers/* How can I set sudoedit to be the only editor for this task?

I am not sure if my question has a proper answer but I still wanted to try. I want to harden my app systemd, the problem is that my package needs permissions to install other packages (that is one of the most problematic things I guess). I was able to drop my rating to around 7.0 with among others: NoNewPrivileges, various ProtectKernel, ProtectHome, ProtectProc, ProtectClock and some others. The thing is, I am not able to use "the most powerful" entrys like PrivateTmp, ProtectSystem, PrivateDevices, MemoryDenyWriteExecute, ProtectHostname, LockPersonality. I am wondering, If my hands are tied without the entrys above and I should simply harden my package with other methods or I can still do something more with systemd? Thanks!

I heard many stories that Linux doesn't have viruses/malwares, but I used linux for a short period of time and not a power user yet. I have security concerns and want to hear what you have to say about them. I know for a fact that there's ways to hack MacOS, with O.MG Elite for example, but is there this kind of malware for linux as well? Of course I'm talking about regular distros like manjaro for example and not some hard-to-install Qubes OS. And I'm not talking about how many of them exist, because obviously windows is way more popular(and shitty) so most malware are targeted it and other popular OS such as MacOS. Please feel free to educate me on the topic :)

linux security and root access question.... I'm setting up a server that has a validator node running on it for a blockchain. I was trying to harden the security of my server. I set up ufw for all ports but those necessary for the node to operate. I set up 2FA, SSH with ed25519, and then I was spending time trying to figure out, if for some crazy reason someone got in... how could I stop someone from using systemctl or poweroff with sudo privilages. The goal is maximize uptime and remain in sync with the other nodes at all times. Anyways, I started blocking bash commands for the user account that allows SSH and blocked SSH to root. Then I blocked a few more commands and thought, what if someone could find their way around this? So, I just started blocking too many things lol. Even though I disabled sudo for the user and blocked a number of commands the user could still use systemctl and stop the service for the node. Eventually I found this guide on how to only allow a few commands for a user. I ended up removing all of the commands from the user and symlinked the su command and renamed it to a random command that only I know. All of the other commands done by the user respond with -rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names I took away bash history and bash autocomplete/tab completion. Now the only thing you can do is guess commands that will get you to the point where you still have to get past my root password. Anyways, I'm saying all of this because I have always heard best security practices involve "disabling root". Sometimes I see it as just disable root SSH, which i already have done, but sometimes i read it like disable the root account. Some say disable the password and try to divvy it up with sudo privileges so it's more traceable to individual users. In my case I need to preserve root access in some way but I basically hid everything within the root user. So, if anyone gets access to root it's over. But, it's behind 2FA, SSH, and an unknown command that just gets to where you can try a password to access root. Am I thinking about this "disable root for security" all wrong and I should disable it completely or does it make sense what I've done so far?

**Problem:** I need to verify if Gratuitous ARP is disabled on a Linux server in the configuration files.