Linux hardening tools
Introduction
Hardening Linux systems can be a time-consuming task, especially if you don't know what to look at. These tools help with system hardening by analyzing the system and show any finding that might need to be corrected.
This category includes the tools that do a system analysis or actively make changes to the system. The 'set it and forget it' approach is a dangerous one when it comes to Linux hardening. It may result in unwanted configurations or unexpected behavior. For most environments, it is suggested to choose the combination of an audit tool and a configuration management tool (Ansible, Chef, Puppet, Salt, etc). This way changes are better controlled and settings can be documented.
Usage
Linux hardening tools are typically used for configuration audit and system hardening.
Users for these tools include auditors, security professionals, system administrators.
Tools
Highlighted tools
Some of the Linux hardening tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.
Popular Linux hardening tools
Bastille Linux (hardening tool)
system hardening
Bastille Linux was a popular tool to perform hardening of systems running Linux and other flavors. It has not received updates in the last years.
JShielder (Linux hardening tool)
system hardening
JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.
Lynis (security scanner and compliance auditing tool)
IT audit, penetration testing, security assessment, system hardening, vulnerability scanning
Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for an in-depth audit and continuous improvement. For this reason, it needs to be executed on the host system itself. By seeing the system from the inside out, it can provide more specific details than the average vulnerability scanner.
OpenSCAP (suite with tools and security data)
security assessment, vulnerability scanning
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Zeus (AWS auditing and hardening tool)
configuration audit, security assessment, self-assessment, system hardening
Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.
nixarmor (Linux hardening script)
system hardening
Nixarmor is a set of shell scripts to harden Linux systems and help with security automation. It configures the system to increase its security level.
Other related categories: Linux security audit tools, configuration audit tools
Missing a favorite tool in this list? Share a tool suggestion and we will review it.