Linux hardening tools
Hardening Linux systems can be a time-consuming task, especially if you don't know what to look at. These tools help with system hardening by analyzing the system and show any finding that might need to be corrected.
This category includes the tools that do a system analysis or actively make changes to the system. The 'set it and forget it' approach is a dangerous one when it comes to Linux hardening. It may result in unwanted configurations or unexpected behavior. For most environments, it is suggested to choose the combination of an audit tool and a configuration management tool (Ansible, Chef, Puppet, Salt, etc). This way changes are better controlled and settings can be documented.
Linux hardening tools are typically used for configuration audit and system hardening.
Users for these tools include auditors, security professionals, system administrators.
Bastille Linux (hardening tool)
Bastille Linux was a popular tool to perform hardening of systems running Linux and other flavors. It has not received updates in the last years.
JShielder (Linux hardening tool)
JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.
Lynis (security scanner and compliance auditing tool)
IT audit, penetration testing, security assessment, system hardening, vulnerability scanning
Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for continuous improvement. For this reason, it requires to be executed on the host system itself and providing more details than the average vulnerability scanner.
nixarmor (Linux hardening script)
Nixarmor is a set of shell scripts to harden Linux systems and help with security automation. It configures the system to increase its security level.
OpenSCAP (suite with tools and security data)
security assessment, vulnerability scanning
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Zeus (AWS auditing and hardening tool)
configuration audit, security assessment, self-assessment, system hardening
Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.
Highlighted tools based on their strenghts
Some of the Linux hardening tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.
Missing a favorite tool in this list? Share a tool suggestion and we will review it.