...
chmod a-st /usr/bin/chage
chmod a-st /usr/bin/gpasswd
chmod a-st /usr/bin/newgrp
chmod a-st /usr/bin/fusermount3
chmod a-st /usr/bin/pkexec
chmod a-st /usr/bin/crontab
chmod a-st /usr/bin/chfn
chmod a-st/usr/bin/at
chmod a-st /usr/bin/chsh
chmod a-st /usr/bin/fusermount
chmod a-st /usr/bin/ksu
chmod a-st /usr/libexec/sssd/ldap_child
chmod a-st /usr/libexec/sssd/proxy_child
chmod a-st /usr/libexec/sssd/selinux_child
chmod a-st /usr/libexec/cockpit-session
chmod a-st /usr/lib/polkit-1/polkit-agent-helper-1
chmod a-st /usr/sbin/userhelper
chmod a-st /usr/sbin/unix_chkpwd
chmod a-st /usr/bin/locate
chmod a-st /usr/libexec/openssh/ssh-keysign
Checking open TCP and UDP ports and processes listening on them (with the command netstat -46npl ) and subsequent reduction of unnecessary ones. For example, on a particular server, the rpcbind.socket and rpcbind services, which were previously used to mount the NFS subsystem, were disabled.
Other recommendations (from Windows Hardening section)