Linux security and system hardening checklist

Every Linux distribution has to make compromises between usability, performance, and security. Unless your distribution is primarily focused on security, chances are great that the first two factors got priority of security. There is a question that is often asked: Is Linux more secure than Microsoft Windows?. The answer can be answered quickly with a clear no.

Both the kernel and the packaged software can contain vulnerabilities. On top of that, there is also a system configuration that can have its flaws. So in other words, also Linux systems still need OS hardening.

Checklists may give a false sense of security to technical people and managers. The same is true for hardening guides and many of the tools. It requires serious effort to improve Linux security and apply system hardening measures correctly. Good understand and keeping your knowledge up-to-date is important. So that is why this checklist will include a lot of other resources to build up your knowledge.

In the area of system operations or information security, the usage of any checklist requires a serious warning. Implementing the listed security measures only makes your system more secure if done correctly. There are no '10 things' that are the best, as it depends strongly on each system and its purpose. When you come across other checklists with a number in the title, then most likely it's not a real checklist. Like hardening and securing an operating system, a good checklist requires dedication and a lot of work.

Hardening the operating system means changes to its configuration will happen. While most changes are easy to undo, some might have a serious impact. For example, changes to the boot loader. If something goes wrong, it may result in an unbootable system.

The very first step is to ensure that your current backup strategy is working correctly. Perform a backup and when possible create a snapshot of the system. This way you always have the option to go back to a previous configuration, if for some reason things fail.

Even more important than the act of backing up data is the ability to restore data. After all, that is why you made the backup in the first place. So besides creating a new backup before you make changes, perform a test restore.

If you want to achieve the maximum security of your Linux distribution, consider first how well the hardware is protected. Most of these related settings can be done in the BIOS, often accessible by pressing a key during the boot process.

The installation process is a good first indicator on well a system is hardened. During this phase, the operating system is installed on a local disk. A proper partitioning structure helps with splitting executable code from data. It enables to protect them both, by setting mount options and prevent a file system being filled unexpectedly.

During this part of the installation, there is also the option to encrypt all the data. This protects the disk when the system is stolen. It is done by setting a password or passphrase, that needs to be provided during the boot of the Linux system.

Most software packages are a collection of one or more tools bundled together. Sooner or later one of these packages might contain a vulnerability. This is simply a known weakness in the software, which can lead to instability or even a security breach. For that reason, the system should be 'patched' on a regular basis. This means, testing and installing any updates that are announced as security updates.

Most Linux distributions use the modular framework named PAM, which is short for pluggable authentication module. The framework allows configuring most of the settings related to authentication, such as where to check that a user or account exists. It also includes the configuration related to password strength, two-factor authentication, and even protection mechanisms against brute-force attacks.

As part of the network configuration, a firewall is a useful defense mechanism. It should be configured to block all traffic and only allow incoming and outgoing data streams that are required for the machine to do its job. So a web server would typically allow incoming HTTPS requests to port 443/TCP. A mail server usually has this port blocked and instead allow connections to port 25/TCP.

There is a wide range of blogs available that write about Linux and security. They can help greatly in finding new techniques to further increase your security defenses.