The Practical Linux Hardening Guide

"Did you know all your doors were locked?" - Riddick (The Chronicles of Riddick)

_{Created by trimstray and contributors}

I'm back, work in progress...

---

Table of Contents

• Introduction
• Policy Compliance (Hardening standards)
  • Center of Internet Security (CIS)
  • Security Technical Implementation Guide (STIG)
  • Security Content Automation Protocol (SCAP)
• DevSec Hardening Framework
• Contributing
• Other hardening guides
• Pre install tasks
  • Physical system security
    • Introduction
    • Secure rooms
    • Monitoring
    • Air conditioning
    • Fire protection
    • Locked racks
    • Console security
    • BIOS protection
    • Summary checklist
  • Hard disk encryption
    • Introduction
    • Encrypt root filesystem
    • Encrypt /boot partition
    • Swap partition
    • Summary checklist
• Post install tasks
  • Bootloader configuration (grub)
    • Introduction
    • Protect bootloader with password
    • Protect bootloader config files
    • Summary checklist
  • Disk partitions
    • Introduction
    • Separate disk partitions
    • Mount options: nodev, noexec and nosuid
    • Secure /boot directory
    • Secure /tmp and /var/tmp
    • Secure /dev/shm
    • Secure /proc filesystem
    • Swap partition
    • Disk quotas
    • Summary checklist
  • Keep system updated
  • Package management
    • Automatic security updates
    • Remove packages with known issues
  • Netfilter ruleset
  • TCP wrapper
  • Users and groups
    • Limit su access
    • Disable root account
    • Logins to system console
    • Disable shell accounts
    • Strong password policy
    • Password aging
    • Previous passwords
    • Login failures
    • Protect single user mode
  • System path permissions
    • World writable files
  • PAM module
  • Limits
  • Shadow passwords
  • Linux kernel hardening
    • Kernel parameters
      • Network security
      • System security
  • Remove unused modules
  • Secure shared memory
  • IRQ balance
  • Disable compilers
  • Email notifications
    • Rebooting the system
  • Backups
  • External devices
    • Disable USB usage
• Tools
  • Logging and Auditing
    • Auditd
    • Tiger
    • Aide
    • Logwatch
  • Other
    • Fail2ban
    • PSAD
    • SELinux
    • Entropy daemon
    • Centralized authentication service
  • Testing tools
    • Lynis
    • Chrootkit
• Services
  • Disable all unnecessary services
    • Common unix print system
    • Summary checklist
  • System services
    • OpenSSH
    • NTP
    • Cron
    • Anacron
    • GnuPG 2
      • Unattended key generation
  • DNS services
    • Bind9
  • Mail services
    • Postfix
  • Web services
    • Nginx
      • Files and directories permissions
      • Use HTTPS
      • Enable HTTP2
      • Separate domains
      • Redirect all unencrypted traffic to HTTPS
      • Enable HTTP Strict Transport Security
      • Diffie Hellman Ephemeral Parameter
      • Security related headers
    • Apache
  • Databases
    • PostgreSQL
    • MySQL
    • Redis
  • Queues
    • AMQP
• Containers
  • LXC/LXD
  • Docker
  • Hashicorp suite
• Deployment
• Testing configuration
• External resources

Introduction

This Hardening Guide provide a high-level overview of the security hardening GNU/Linux systems.

Policy Compliance (Hardening standards)

Center of Internet Security (CIS)

The Center for Internet Security (CIS) is a nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.

Security Technical Implementation Guide (STIG)

A Security Technical Implementation Guide (STIG) is a cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs to enhance overall security.

Security Content Automation Protocol (SCAP)

Security Content Automation Protocol (SCAP) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. One of the most popular implementations of SCAP is OpenSCAP and it is very helpful for vulnerability assessment and also as hardening helper.

DevSec Hardening Framework

Security + DevOps: Automatic Server Hardening.

This project covered a lot of the things in this guide, which can be automated (e.g. setting of grub password or enforcing the permissions of the common directories).

Project: DevSec Hardening Framework + GH repository: dev-sec.

Thanks for @artem-sidorenko!

Contributing

If you find something which doesn't make sense, or one of these doesn't seem right, or something seems really stupid; please make a pull request or please add valid and well-reasoned opinions about your changes or comments.

Before add pull request please see this.

Other hardening guides

Type of list	Comment
STIGs Master List
Arch Linux
CentOS Linux
Debian GNU/Linux	old guide - to update
Fedora Linux	old guide - to update
Red Hat Enterprise
Slackware Linux	some data may not be available
Ubuntu Linux	some data may not be available