Linux hardening tools

Image of wall with text about hardening Linux systems

Introduction

Hardening Linux systems can be a time-consuming task, especially if you don't know what to look at. These tools help with system hardening by analyzing the system and show any finding that might need to be corrected.

This category includes the tools that do a system analysis or actively make changes to the system. The 'set it and forget it' approach is a dangerous one when it comes to Linux hardening. It may result in unwanted configurations or unexpected behavior. For most environments, it is suggested to choose the combination of an audit tool and a configuration management tool (Ansible, Chef, Puppet, Salt, etc). This way changes are better controlled and settings can be documented.

Usage

Linux hardening tools are typically used for configuration audit and system hardening.

Users for these tools include auditors, security professionals, system administrators.

Tools

Highlighted tools

Some of the Linux hardening tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.

» Low on requirements = Lynis

Popular Linux hardening tools

Bastille Linux (hardening tool)

system hardening

Bastille Linux was a popular tool to perform hardening of systems running Linux and other flavors. It has not received updates in the last years.

JShielder (Linux hardening tool)

system hardening

JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.

Lynis (security scanner and compliance auditing tool)

IT audit, penetration testing, security assessment, system hardening, vulnerability scanning

Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for an in-depth audit and continuous improvement. For this reason, it needs to be executed on the host system itself. By seeing the system from the inside out, it can provide more specific details than the average vulnerability scanner.

OpenSCAP (suite with tools and security data)

security assessment, vulnerability scanning

Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines

Zeus (AWS auditing and hardening tool)

configuration audit, security assessment, self-assessment, system hardening

Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.

nixarmor (Linux hardening script)

system hardening

Nixarmor is a set of shell scripts to harden Linux systems and help with security automation. It configures the system to increase its security level.

Other related categories: Linux security audit tools, configuration audit tools

Missing a favorite tool in this list? Share a tool suggestion and we will review it.

Related topics

Looking for more specific topics within this tool group? Have a look at the following relevant topics.