Linux hardening tools

Image of wall with text about hardening Linux systems

Introduction

Hardening Linux systems can be a time-consuming task, especially if you don't know what to look at. These tools help with system hardening by analyzing the system and show any finding that might need to be corrected.

This category includes the tools that do a system analysis or actively make changes to the system. The 'set it and forget it' approach is a dangerous one when it comes to Linux hardening. It may result in unwanted configurations or unexpected behavior. For most environments, it is suggested to choose the combination of an audit tool and a configuration management tool (Ansible, Chef, Puppet, Salt, etc). This way changes are better controlled and settings can be documented.

Usage

Linux hardening tools are typically used for configuration audit and system hardening.

Users for these tools include auditors, security professionals, system administrators.

Tools

Bastille Linux (hardening tool)

system hardening

Bastille Linux was a popular tool to perform hardening of systems running Linux and other flavors. It has not received updates in the last years.

JShielder (Linux hardening tool)

system hardening

JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.

Lynis (security scanner and compliance auditing tool)

IT audit, penetration testing, security assessment, system hardening, vulnerability scanning

Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for continuous improvement. For this reason, it requires to be executed on the host system itself and providing more details than the average vulnerability scanner.

nixarmor (Linux hardening script)

system hardening

Nixarmor is a set of shell scripts to harden Linux systems and help with security automation. It configures the system to increase its security level.

OpenSCAP (suite with tools and security data)

security assessment, vulnerability scanning

Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines

Zeus (AWS auditing and hardening tool)

configuration audit, security assessment, self-assessment, system hardening

Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.

Highlighted tools based on their strenghts

Some of the Linux hardening tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.

» Low on requirements = Lynis

Other related categories: configuration audit tools, Linux security audit tools

Missing a favorite tool in this list? Share a tool suggestion and we will review it.