Linux security and system hardening checklist
Recently updated at
Checklist to improve the security of your Linux system
Introduction
After the installation of a Linux-based system, so-called system hardening is needed. This involves a range of steps to tighten the capabilities of a system, its software, and its users. By applying best practices, we can reduce the chance of a system being misused or exploited.
System hardening
Why perform system hardening on Linux systems?
Every Linux distribution has to make compromises between usability, performance, and security. Unless your distribution is primarily focused on security, chances are great that the first two factors got priority of security. There is a question that is often asked: Is Linux more secure than Microsoft Windows?
. The answer can be answered quickly with a clear no.
Both the kernel and the packaged software can contain vulnerabilities. On top of that, there is also a system configuration that can have its flaws. So in other words, also Linux systems still need OS hardening.
Risks of system hardening
During the process of system hardening, changes are made. There is the risk that a change can have unexpected consequences. The more changes, the bigger the risk that something will no longer work. Sometimes these changes might impact performance, but typically they may result in something like the inability to connect to a system, log in, or retrieve data from an application.
Mitigation steps
There are several options to reduce the risks.
- Test all changes first on a test system that mimics the production environment
- Document all changes, preferably in a system such as a CMDB
- Apply system hardening measures to newly deployed systems or their image
Checklists and guides
The value of checklists
Checklists may give a false sense of security to technical people and managers. The same is true for hardening guides and many of the tools. It requires serious effort to improve Linux security and apply system hardening measures correctly. Good understand and keeping your knowledge up-to-date is important. So that is why this checklist will include a lot of other resources to build up your knowledge.
In the area of system operations or information security, the usage of any checklist requires a serious warning. Implementing the listed security measures only makes your system more secure if done correctly. There are no '10 things' that are the best, as it depends strongly on each system and its purpose. When you come across other checklists with a number in the title, then most likely it's not a real checklist. Like hardening and securing an operating system, a good checklist requires dedication and a lot of work.
Use authoritative resources
The internet contains a lot of resources of value, especially when it comes to technical subjects. At the same time, many blog posts and articles are not of high quality. Some of the authors even don't have a full understanding of the tips they advocate. Another issue is outdated information or simply incorrect advice. For that reason, we suggest working with authoritative sources of high quality.
Trust, but verify!
Like the authoritative resources above, there are specialized companies in the field. To prevent giving any company special treatment, we will not mention any unless it warrants a mention. Examples may include kernel development, work on security software, or other great contributions to the field.
This checklist has been created based on our knowledge and additional research. A critical view on any of the suggestions is not just a good idea, but required. This way you gain the best possible understanding of the subject and make the right decision. After all, you have to decide what is best for your Linux systems when it comes to hardening them. So whatever you encounter on other websites or in this particular checklist, follow the saying Trust, but verify
.
Preparations
Backup and test a restore
Hardening the operating system means changes to its configuration will happen. While most changes are easy to undo, some might have a serious impact. For example, changes to the boot loader. If something goes wrong, it may result in an unbootable system.
The very first step is to ensure that your current backup strategy is working correctly. Perform a backup and when possible create a snapshot of the system. This way you always have the option to go back to a previous configuration, if for some reason things fail.
Even more important than the act of backing up data is the ability to restore data. After all, that is why you made the backup in the first place. So besides creating a new backup before you make changes, perform a test restore.
Test before you make changes!
This checklist is created based on years of expertise in the field of Linux security. Still, every system is different and serves its own purpose. Before making changes to systems, special care should go into testing. This is even more important for changes made to systems that are in production. For those items that you don't fully understand, follow up by doing more research first instead of just copy-pasting configuration snippets.
Physical access
Hardware security
If you want to achieve the maximum security of your Linux distribution, consider first how well the hardware is protected. Most of these related settings can be done in the BIOS, often accessible by pressing a key during the boot process.
- Set a password to protect the BIOS
- Consider using a boot password
- Disable unused storage devices (e.g. firewire port)
Installation
Partitioning structure and encryption
The installation process is a good first indicator on well a system is hardened. During this phase, the operating system is installed on a local disk. A proper partitioning structure helps with splitting executable code from data. It enables to protect them both, by setting mount options and prevent a file system being filled unexpectedly.
During this part of the installation, there is also the option to encrypt all the data. This protects the disk when the system is stolen. It is done by setting a password or passphrase, that needs to be provided during the boot of the Linux system.
- Define multiple partitions (/, /tmp, /usr, /var, /var/log)
- Set an encryption password
Bootloader
During the boot process, a so-called bootloader is one of the components that is started first. Typically the GRUB loader is used on Linux systems.
- Set a configuration password on the bootloader
- Check and tighten file permissions of configuration files
Minimal installation
The software for the system is typically selected during the installation phase. That means that you have the choice to select roles, a group of packages, or individual packages. Using fewer packages is the best option. It speeds up the installation, reduces disk space, and decreases the risk of vulnerable software packages later on.
- Only install what you really need
- When possible, use the 'minimal installation' option.
Software
Software and package management
Most software packages are a collection of one or more tools bundled together. Sooner or later one of these packages might contain a vulnerability. This is simply a known weakness in the software, which can lead to instability or even a security breach. For that reason, the system should be 'patched' on a regular basis. This means, testing and installing any updates that are announced as security updates.
- Limit the number of packages to reduce the footprint of the system
- Disable services that are not needed
- Install security updates regularly and with priority
Configuration
Authentication
PAM
Most Linux distributions use the modular framework named PAM, which is short for pluggable authentication module. The framework allows configuring most of the settings related to authentication, such as where to check that a user or account exists. It also includes the configuration related to password strength, two-factor authentication, and even protection mechanisms against brute-force attacks.
File permissions
Each file is assigned an owner and a group and a set of file permissions. The Linux kernel uses file permissions as a first layer to see if a user is granted access to a particular file or directory. It also defines what type of access is granted, such as read-only access or more. Although there are several combinations possible, it is not fine-grained. To define a more detailed kind of access, file ACLs can be used.
- Grant access to normal files with 640 and 750 for directories, or more strict.
- Don't use chmod 777
Connectivity
Firewall
As part of the network configuration, a firewall is a useful defense mechanism. It should be configured to block all traffic and only allow incoming and outgoing data streams that are required for the machine to do its job. So a web server would typically allow incoming HTTPS requests to port 443/TCP. A mail server usually has this port blocked and instead allow connections to port 25/TCP.
- Deny all incoming traffic by default
- Open services by port and protocol (typically ICMP, UDP or TCP)
- Restrict ICMP when needed, yet allow the machine to function properly
Resources
Blogs
There is a wide range of blogs available that write about Linux and security. They can help greatly in finding new techniques to further increase your security defenses.
Relevant tools
To help with securing a Linux system there is a variety of tools available. Useful for system hardening are auditing tools as they perform a health scan of the system and define room for improvement. Additionally useful are tools that actually also implement some of the hardening measures. Based on our review we found several relevant tools.
Lynis (security scanner and compliance auditing tool)
IT audit, penetration testing, security assessment, system hardening, vulnerability scanning
Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for an in-depth audit and continuous improvement. For this reason, it needs to be executed on the host system itself. By seeing the system from the inside out, it can provide more specific details than the average vulnerability scanner.
OpenSCAP (suite with tools and security data)
security assessment, vulnerability scanning
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
sysechk (system auditing tool)
IT audit, system hardening
System Security Checker, or sysechk, is a tool to perform a system audit against a set of best practices. It uses a modular approach to test the system.
Cloud Security Suite (cloud security toolkit)
IT audit, configuration audit, penetration testing, system hardening
Cloud Security Suite (CS Suite) is a security toolkit that allows scanning Amazon, Google, and Azure cloud platforms. It leverages tools like Lynis, Prowler, and Scout2 to collect all information. The promise of the tool is to simplify the installation of the tools, their configuration, and the data collection.
JShielder (Linux hardening tool)
system hardening
JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.
Zeus (AWS auditing and hardening tool)
configuration audit, security assessment, self-assessment, system hardening
Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.
nixarmor (Linux hardening script)
system hardening
Nixarmor is a set of shell scripts to harden Linux systems and help with security automation. It configures the system to increase its security level.
LUNAR (system security scanner)
security assessment, self-assessment, system hardening
LUNAR is a security scanner that runs on a Linux system or other flavors of Unix. It provides insights on what can be done to harden the system.
Bastille Linux (hardening tool)
system hardening
Bastille Linux was a popular tool to perform hardening of systems running Linux and other flavors. It has not received updates in the last years.
Nix Auditor (system auditing tools)
Nix-Auditor is a tool to help with scanning Linux systems and test them against CIS benchmarks.
Frequently Asked Questions
- What is system hardening?
System hardening is the process of securing a system by reducing possible weaknesses. This is done by restricting access and capabilities of the kernel, software components, and its configuration. The so-called attack surface gets smaller, making the system more secure. System hardening resources such as hardening guides are typically consisting of best practices within a field of expertise.
- What are best practices?
Best practices are procedures or steps in a particular field of expertise that are generally accepted as being effective. They are formed by professionals reaching an agreement and share consensus-based tips with others in and outside the field.
- What is a hardening guide?
A hardening guide is a document that provides suggested improvements to secure a system. Typically these suggestions are categorized and include a rationale. By following a hardening guide the chances of a system compromise can be strongly reduced.
- Is hardening also needed for Linux systems?
System hardening is also needed for systems using the Linux kernel. The primary reason is that Linux distributions have to make a sacrifice between usability, performance, and security. Typically these first two factors are favored. Therefore it is up to the administrator of the system to enhance the security level based on the risks and type of usage.
Glossary
Below are the relevant definitions and terms for this checklist.
- Access Control List (ACL)
- Access control lists (ACL) implement a measure to store which resources can be accessed by identified subjects like users or systems. An ACL typically will also store the related permissions that the subject has. For example, Bob can access a particular file and read it. Alice can do the same, but also edit the file.
- Best practice
- A procedure or step that is considered to be an effective measure in a particular field of expertise. For example, the advice to use strong passwords to reduce the risk of account compromise.
- System hardening
- The process of increasing the security defenses of a system. Typically these defenses are so-called best practices and meant to decrease the risks to the system.