Chapter 15
Security Hardening
Chapter 15: Linux Security Hardening
Security is not a one-time configuration but a defense-in-depth system. This chapter starts with SSH server hardening, moves through fail2ban brute-force protection, ufw/firewalld firewall rules, SELinux/AppArmor mandatory access control, auditd audit logging, AIDE file integrity checking, and closes with sysctl kernel parameters and security scanning tools — building a layered Linux security architecture.
1. SSH Server Hardening
SSH is the most common attack surface on servers. Default configurations carry several risks: allowing direct root login, allowing password authentication (vulnerable to brute force), and no connection rate limiting. Below are recommended /etc/ssh/sshd_config settings for production:
# /etc/ssh/sshd_config — 生产环境推荐配置
# 协议版本(只允许 SSHv2,SSHv1 有已知漏洞)
Protocol 2
# 禁止 root 直接登录(攻击者最常尝试的账户)
PermitRootLogin no
# 禁用密码认证,只允许密钥认证
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# 白名单:只允许指定用户/组登录
AllowUsers deploy alice bob
# AllowGroups sshusers
# 认证相关限制
MaxAuthTries 3 # 每连接最多3次认证失败就断开
LoginGraceTime 20 # 20秒内必须完成认证
MaxSessions 10 # 每连接最多10个会话
MaxStartups 10:30:60 # 最多10个未认证连接,30%概率拒绝,60个时全拒绝
# 功能限制(最小化攻击面)
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
PrintMotd no
# 连接保活(检测僵尸连接)
ClientAliveInterval 300 # 每300秒发送一次保活消息
ClientAliveCountMax 2 # 连续2次无响应则断开
# 登录 Banner(法律声明,震慑未授权访问)
Banner /etc/ssh/banner.txt
# 监听配置(只监听必要接口)
# ListenAddress 192.168.1.10
Port 22
# 日志级别(INFO 记录登录,VERBOSE 记录密钥指纹)
LogLevel VERBOSE
# 禁用不安全的旧算法
KexAlgorithms curve25519-sha256,diffie-hellman-group14-sha256
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
# 创建登录 Banner(法律警告)
cat > /etc/ssh/banner.txt &1 | grep -i "auth"
# 生成 ED25519 密钥(比 RSA 4096 更安全且更快)
ssh-keygen -t ed25519 -C "deploy@prod-$(date +%Y%m%d)" -f ~/.ssh/id_ed25519
# 部署公钥到服务器
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# 查看 SSH 登录日志
journalctl -u sshd --since "1 hour ago" | grep -E "Accepted|Failed|Invalid"
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -20
2. fail2ban: Brute-Force Protection
fail2ban monitors log files and automatically bans source IPs via iptables/firewalld when failed authentication attempts exceed a threshold within a time window. It is the standard defense against SSH brute-force attacks.
# 安装 fail2ban
apt install fail2ban # Debian/Ubuntu
yum install fail2ban # RHEL/CentOS
dnf install fail2ban # Fedora
# 启用并设为开机自启
systemctl enable --now fail2ban
# /etc/fail2ban/jail.local — 本地覆盖配置(不修改 jail.conf 原文件)
# jail.conf 升级时会被覆盖,所有自定义写在 jail.local
[DEFAULT]
# 全局封禁时间:10分钟(可用 -1 表示永久封禁)
bantime = 10m
# 统计时间窗口:10分钟内超过 maxretry 次则封禁
findtime = 10m
# 失败次数阈值
maxretry = 5
# 使用 systemd 后端(比 polling 更高效)
backend = systemd
# 忽略本机 IP 和私有网段(防止误封自己)
ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 192.168.0.0/16
[sshd]
enabled = true
port = ssh
# 日志后端(journald 适用于 systemd 系统)
backend = systemd
maxretry = 3
bantime = 1h
findtime = 5m
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5
[nginx-limit-req]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 10
findtime = 1m
bantime = 10m
# 重载配置
fail2ban-client reload
# 查看所有 jail 状态概览
fail2ban-client status
# 查看指定 jail 的封禁详情(包含被封 IP 列表)
fail2ban-client status sshd
# 手动解封某个 IP
fail2ban-client set sshd unbanip 203.0.113.42
# 手动封禁某个 IP
fail2ban-client set sshd banip 203.0.113.42
# 查看 fail2ban 日志
journalctl -u fail2ban -f
tail -f /var/log/fail2ban.log
# 测试 filter 规则是否正确匹配日志
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# 自定义 filter(以 nginx 自定义接口频率限制为例)
cat > /etc/fail2ban/filter.d/nginx-custom-api.conf .* "(?:GET|POST) /api/.*" 429
ignoreregex =
EOF
3. Firewall Configuration
ufw — Simple Frontend (Ubuntu/Debian)
# 默认策略:拒绝所有入站,允许所有出站
ufw default deny incoming
ufw default allow outgoing
# 允许服务(按名称或端口)
ufw allow ssh # 允许 SSH(22/tcp)
ufw allow 80/tcp # 允许 HTTP
ufw allow 443/tcp # 允许 HTTPS
ufw allow 8080/tcp # 自定义端口
# 允许来自特定 IP/网段的访问
ufw allow from 10.0.0.0/8 to any port 5432 # 只允许内网访问 PostgreSQL
ufw allow from 203.0.113.10 to any port 22 # 只允许指定 IP SSH
# 速率限制(防暴力破解,6次/30秒触发)
ufw limit ssh
# 拒绝规则
ufw deny 23/tcp # 拒绝 Telnet
# 删除规则(两步操作:先查编号,再删)
ufw status numbered
ufw delete 3 # 删除编号为3的规则
# 启用/禁用防火墙
ufw enable
ufw disable
# 查看状态(verbose 显示更多信息)
ufw status verbose
# 开启日志(记录被拒绝的连接)
ufw logging on
ufw logging medium # low/medium/high/full
# 查看 ufw 日志
tail -f /var/log/ufw.log
firewalld — Dynamic Firewall (RHEL/CentOS/Fedora)
# 检查 firewalld 状态
firewall-cmd --state
systemctl status firewalld
# 查看所有 zone 和当前默认 zone
firewall-cmd --get-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
# 查看 public zone 当前规则
firewall-cmd --zone=public --list-all
# 添加服务(临时,重启后失效)
firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-service=https
# 添加端口
firewall-cmd --zone=public --add-port=8080/tcp
# 永久生效(加 --permanent,然后 --reload)
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload
# 移除规则
firewall-cmd --zone=public --remove-service=telnet --permanent
firewall-cmd --reload
# Rich Rules(富规则,更精细的控制)
# 只允许特定 IP 访问 SSH
firewall-cmd --zone=public --add-rich-rule='
rule family="ipv4"
source address="203.0.113.10/32"
service name="ssh"
accept' --permanent
# 拒绝某个 IP 的所有流量
firewall-cmd --zone=public --add-rich-rule='
rule family="ipv4"
source address="198.51.100.0/24"
drop' --permanent
# 速率限制(每分钟最多3次 SSH 连接)
firewall-cmd --zone=public --add-rich-rule='
rule family="ipv4"
service name="ssh"
limit value="3/m"
accept' --permanent
firewall-cmd --reload
# 查看所有永久规则
firewall-cmd --list-all --permanent
4. SELinux: Mandatory Access Control (RHEL/CentOS/Fedora)
SELinux (Security-Enhanced Linux) was developed by the NSA and open-sourced. It labels every process and file with a security context and uses policy rules to control which resources a process can access. Even if a process is compromised via a vulnerability (e.g., RCE), SELinux limits what it can actually do.
# 查看当前 SELinux 模式
getenforce
# Enforcing = 强制执行(拒绝并记录违规)
# Permissive = 只记录不拒绝(调试模式)
# Disabled = 完全关闭
# 详细状态
sestatus
# 临时切换模式(重启后恢复 /etc/selinux/config 的设置)
setenforce 0 # 切换到 Permissive(调试时使用)
setenforce 1 # 切换回 Enforcing
# 永久修改模式(需重启生效)
# 编辑 /etc/selinux/config
# SELINUX=enforcing # enforcing / permissive / disabled
# 查看文件的 SELinux context
ls -Z /var/www/html/
# -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html
# 查看进程的 SELinux context
ps axZ | grep nginx
# system_u:system_r:httpd_t:s0 nginx
# 恢复文件默认 context(最常见的解决方法)
restorecon -Rv /var/www/html/
restorecon -v /etc/nginx/nginx.conf
# 手动修改文件 context
chcon -t httpd_sys_content_t /data/myapp/public/
# 永久修改 context(restorecon 不会覆盖)
semanage fcontext -a -t httpd_sys_content_t "/data/myapp/public(/.*)?"
restorecon -Rv /data/myapp/public/
# 查看所有 context 规则
semanage fcontext -l | grep httpd
# 查看 SELinux 布尔值(开关功能开关)
getsebool -a | grep httpd
# httpd_can_network_connect --> off
# httpd_enable_homedirs --> off
# 开启允许 nginx 建立出站网络连接(如反向代理后端)
setsebool -P httpd_can_network_connect on
# -P 表示永久(写入策略,重启生效)
audit2allow: Generate Rules from Logs
# 查看最近的 AVC 拒绝记录(AVC = Access Vector Cache)
ausearch -m avc -ts recent
# 或
grep "avc: denied" /var/log/audit/audit.log | tail -20
# 典型 AVC denied 消息示例:
# type=AVC msg=audit(1714000000.123:456): avc: denied { read } for
# pid=1234 comm="nginx" name="config.json"
# scontext=system_u:system_r:httpd_t:s0
# tcontext=unconfined_u:object_r:user_home_t:s0
# tclass=file permissive=0
# → nginx 进程试图读取带有 user_home_t 标签的文件,被拒绝
# 从 audit.log 生成允许规则(先在 Permissive 模式下测试应用,收集所有 AVC,再生成策略)
ausearch -m avc -ts today | audit2allow -m myapp_policy
# 生成并安装策略模块
ausearch -m avc -ts today | audit2allow -M myapp_policy
semodule -i myapp_policy.pp
# 查看已安装的策略模块
semodule -l | grep myapp
# 常见问题排查流程:
# 1. setenforce 0(切 Permissive)
# 2. 重现问题,确认 SELinux 不是真正原因
# 3. setenforce 1(切回 Enforcing)
# 4. 检查 audit.log 中的 avc denied
# 5. 用 audit2allow 生成最小权限策略
# 6. 安装策略模块
# 7. 测试确认问题解决
5. AppArmor: Application Sandboxing (Ubuntu/Debian)
AppArmor is an alternative to SELinux that restricts program capabilities based on path (rather than inode labels). Enabled by default on Ubuntu, its profiles are simpler and more readable, making it suitable for rapid deployment.
# 查看所有 profile 状态
aa-status
# 显示:enforce 模式的 profile 数量、complain 模式数量、未受限制的进程
# 查看某个进程是否受 AppArmor 保护
cat /proc/$(pgrep nginx)/attr/current
# 切换 profile 模式
aa-enforce /etc/apparmor.d/usr.sbin.nginx # 强制执行模式
aa-complain /etc/apparmor.d/usr.sbin.nginx # 仅记录模式(相当于 SELinux Permissive)
aa-disable /etc/apparmor.d/usr.sbin.nginx # 禁用
# 重载某个 profile
apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
# 使用 aa-logprof 交互式学习模式(从日志生成规则)
# 先切换为 complain 模式运行应用,然后
aa-logprof # 交互式处理违规日志,选择允许/拒绝
# /etc/apparmor.d/ profile 文件结构示例
cat /etc/apparmor.d/usr.sbin.nginx
# 典型内容:
# #include
# /usr/sbin/nginx {
# #include
# capability net_bind_service, # 绑定特权端口
# /var/log/nginx/** rw, # 读写日志目录
# /var/www/html/** r, # 只读 web 根目录
# /etc/nginx/** r, # 只读配置
# /run/nginx.pid rw, # 读写 PID 文件
# deny /etc/shadow r, # 明确拒绝读取 shadow
# }
# 查看 AppArmor 日志
grep apparmor /var/log/kern.log | tail -20
journalctl -k | grep apparmor | tail -20
6. auditd: Kernel Audit Subsystem
auditd is the userspace daemon for the Linux kernel audit framework. It records: file access, system calls, user authentication, and privileged operations. Configuring auditd is mandatory for compliance requirements (PCI DSS, HIPAA, SOC2).
# 安装 auditd
apt install auditd audispd-plugins # Debian/Ubuntu
yum install audit # RHEL/CentOS
# 启用
systemctl enable --now auditd
# 实时查看审计日志
tail -f /var/log/audit/audit.log
# auditctl:临时添加规则(重启后失效)
# 监控文件读写(-w 文件路径,-p 权限,-k 关键字标签)
auditctl -w /etc/passwd -p rwa -k passwd_changes
auditctl -w /etc/sudoers -p rwa -k sudoers_changes
auditctl -w /etc/shadow -p rwa -k shadow_changes
auditctl -w /var/log/auth.log -p rwa -k auth_log
# 监控目录(递归)
auditctl -w /etc/ssh/ -p rwa -k ssh_config
# 监控系统调用(-a action,filter -S syscall -F field=value -k key)
# 监控所有 execve 调用(记录命令执行历史,包括参数)
auditctl -a always,exit -F arch=b64 -S execve -k cmd_exec
# 监控特权提升(setuid/setgid)
auditctl -a always,exit -F arch=b64 -S setuid,setgid -k privilege_esc
# 监控网络配置变更
auditctl -a always,exit -F arch=b64 -S sethostname,setdomainname -k network_mod
# 查看当前规则
auditctl -l
# 查看 auditd 状态
auditctl -s
# /etc/audit/rules.d/99-security.rules — 持久化审计规则
# 按文件写入,auditd 重启时自动加载
# 删除所有现有规则
-D
# 设置缓冲区大小(高负载系统适当增大)
-b 8192
# 设置失败时的动作:0=silent, 1=printk, 2=panic
-f 1
# === 身份认证相关 ===
-w /etc/passwd -p rwa -k identity
-w /etc/group -p rwa -k identity
-w /etc/shadow -p rwa -k identity
-w /etc/gshadow -p rwa -k identity
-w /etc/security/opasswd -p wa -k identity
# === 特权命令 ===
-w /usr/bin/passwd -p x -k privileged
-w /usr/bin/sudo -p x -k privileged
-w /usr/sbin/visudo -p x -k privileged
-w /bin/su -p x -k privileged
# === SSH 配置 ===
-w /etc/ssh/sshd_config -p rwa -k sshd_config
# === 系统调用监控 ===
-a always,exit -F arch=b64 -S execve -k exec
-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -k open_failed
-a always,exit -F arch=b64 -S ptrace -k ptrace
# === 网络 ===
-a always,exit -F arch=b64 -S bind,listen,accept,connect -k network
# 使规则不可修改(需重启才能更改,最高安全级别)
# -e 2
# ausearch:查询审计日志
# 按关键字搜索
ausearch -k passwd_changes
ausearch -k privileged
# 按文件搜索
ausearch -f /etc/passwd
# 按用户搜索
ausearch -ua alice
# 按时间范围
ausearch -ts "04/25/2026 00:00:00" -te "04/25/2026 23:59:59"
ausearch -ts today
ausearch -ts recent # 最近10分钟
# 按消息类型
ausearch -m USER_LOGIN # 用户登录
ausearch -m USER_AUTH # 认证事件
ausearch -m SYSCALL # 系统调用
ausearch -m AVC # SELinux 拒绝
# aureport:生成统计报告
# 总体摘要
aureport --summary
# 认证报告(登录成功/失败统计)
aureport -au
# 失败事件报告
aureport --failed
# 文件访问报告
aureport -f
# 可执行文件报告
aureport -x
# 异常报告
aureport -a
7. File Integrity Monitoring
File Integrity Monitoring (FIM) builds a baseline hash database of critical files and periodically checks for unauthorized modifications. It is a key technique for detecting post-intrusion system tampering. AIDE (Advanced Intrusion Detection Environment) is the most commonly used open-source tool.
# 安装 AIDE
apt install aide # Debian/Ubuntu
yum install aide # RHEL/CentOS
# 查看配置文件(定义监控范围和哈希算法)
cat /etc/aide/aide.conf | head -50
# 默认监控:/etc /bin /sbin /usr/bin /usr/sbin /boot /lib
# 初始化基线数据库(系统首次配置时运行,在干净系统上执行)
aide --init
# 生成 /var/lib/aide/aide.db.new.gz
# 将新数据库激活为当前基线
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 执行完整性检查(与基线对比)
aide --check
# 输出示例:
# File: /etc/passwd
# MD5 : expected-hash != actual-hash
# Changed attributes: p md5 sha256
# → 检测到 /etc/passwd 被修改
# 更新基线(计划内变更后需要更新)
aide --update
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 配置定时检查(crontab)
echo "0 3 * * * root /usr/bin/aide --check | mail -s 'AIDE Report' [email protected]" \
>> /etc/cron.d/aide
# AIDE 自定义规则(aide.conf 片段)
# /etc/custom PERMS+MD5+SHA256 # 只监控权限和哈希
# !/var/log # 排除日志目录(频繁变化)
# !/proc !/sys !/dev # 排除伪文件系统
# tripwire(商业级 FIM 工具,功能更丰富)
# 安装:apt install tripwire
# 初始化策略数据库:tripwire --init
# 检查:tripwire --check
# 更新:tripwire --update -r /var/lib/tripwire/report/...
8. User Password Policy
# /etc/login.defs — 全局密码策略(新建用户生效)
grep -E "^PASS_" /etc/login.defs
# PASS_MAX_DAYS 90 # 密码最多90天后必须修改
# PASS_MIN_DAYS 1 # 修改后至少1天才能再次修改
# PASS_MIN_LEN 12 # 最短密码长度
# PASS_WARN_AGE 14 # 过期前14天开始警告
# chage — 管理单个用户的密码过期策略
chage -l alice # 查看 alice 的密码信息
chage -M 90 alice # 设置最大有效期90天
chage -m 1 alice # 最短修改间隔1天
chage -W 14 alice # 过期前14天警告
chage -E 2026-12-31 alice # 账户到期日期
chage -d 0 alice # 强制下次登录修改密码
# 查看账户状态
passwd -S alice
# alice P 2026-01-01 1 90 14 -1 (Password set, SHA512 crypt.)
# /etc/security/pwquality.conf — pam_pwquality 密码强度策略
# 需安装:apt install libpam-pwquality
# 最少字符数
minlen = 14
# 至少1个大写字母
ucredit = -1
# 至少1个小写字母
lcredit = -1
# 至少1个数字
dcredit = -1
# 至少1个特殊字符
ocredit = -1
# 连续相同字符不超过3个
maxrepeat = 3
# 不能包含用户名
usercheck = 1
# 不能是常见密码(字典检查)
dictcheck = 1
# 认证失败后的等待时间(秒)
retry = 3
# /etc/pam.d/common-password(Ubuntu/Debian)配置 pam_pwquality
# 修改前先备份
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
# 确保包含以下行(enforce_for_root 对 root 也强制执行)
# password requisite pam_pwquality.so retry=3 enforce_for_root
# 防止密码重用(记住最近5个密码)
# password required pam_pwhistory.so remember=5 enforce_for_root
# 账户锁定(密码错误3次锁定,15分钟自动解锁)
# /etc/pam.d/common-auth 添加:
# auth required pam_tally2.so onerr=fail deny=3 unlock_time=900
# 或(新系统使用 pam_faillock):
# auth required pam_faillock.so preauth deny=3 unlock_time=900
# 查看账户锁定状态
faillock --user alice
# 手动解锁
faillock --user alice --reset
9. sysctl Kernel Security Parameters
# /etc/sysctl.d/99-security.conf — 内核安全加固参数
# 应用:sysctl --system 或 sysctl -p /etc/sysctl.d/99-security.conf
# === 网络安全 ===
# 防 IP 欺骗(反向路径过滤):严格模式=1,宽松=2,禁用=0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 忽略 ICMP 重定向(防止路由欺骗攻击)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# 忽略广播 ICMP(防止 Smurf 攻击)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 记录伪造/非路由 IP 包
net.ipv4.conf.all.log_martians = 1
# SYN Cookies(防 SYN Flood 攻击)
net.ipv4.tcp_syncookies = 1
# SYN 重传次数(减少 SYN 占用的资源时间)
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
# TIME_WAIT 套接字重用(高并发服务器)
net.ipv4.tcp_tw_reuse = 1
# === 内核安全 ===
# 隐藏内核指针(/proc/kallsyms 等):0=显示,1=root可见,2=完全隐藏
kernel.kptr_restrict = 2
# 限制非 root 读取 dmesg:0=允许,1=限制
kernel.dmesg_restrict = 1
# 限制非 root 的 perf 访问:-1=不限,0=非root可用,1-3=逐步限制
kernel.perf_event_paranoid = 3
# 禁止 ptrace 附加到非子进程:0=不限,1=只能 attach 子进程,2=只有root
kernel.yama.ptrace_scope = 1
# 核心转储文件名(带 PID,防止覆盖)
kernel.core_uses_pid = 1
# 禁用 sysrq 组合键(防止本地物理攻击)
kernel.sysrq = 0
# 内存随机化(ASLR):0=禁用,1=保守,2=完全随机
kernel.randomize_va_space = 2
# 文件系统硬链接/符号链接保护
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# 应用 sysctl 配置
sysctl --system # 加载所有 /etc/sysctl.d/*.conf
sysctl -p /etc/sysctl.d/99-security.conf # 只加载指定文件
# 查看某个参数的当前值
sysctl net.ipv4.tcp_syncookies
sysctl kernel.kptr_restrict
# 临时修改(重启后失效)
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w kernel.kptr_restrict=2
10. Security Audit Tools and Checklist
lynis — System Security Scanning
# 安装 lynis(轻量级安全审计工具,无需 agent)
apt install lynis # Debian/Ubuntu
yum install lynis # RHEL/CentOS
# 或从官方安装最新版
git clone https://github.com/CISOfy/lynis.git /opt/lynis
# 运行完整系统审计
lynis audit system
# 输出彩色报告,包括:
# - 发现的漏洞/弱配置(WARNING/SUGGESTION)
# - 安全评分(Hardening Index: 0-100)
# - CIS Benchmark 对照
# 只扫描某个类别
lynis audit system --tests-from-group ssh
lynis audit system --tests-from-group authentication
lynis audit system --tests-from-group networking
# 非交互模式(适合 CI/cron)
lynis audit system --quick --no-colors 2>&1 | tee /var/log/lynis-$(date +%Y%m%d).log
# 查看报告摘要
lynis show details AUTH-9308 # 查看某条建议的详细说明
Production Security Checklist
| Category | Check Item | Verify Command |
|---|---|---|
| SSH | Root login disabled | sshd -T |
| SSH | Password auth disabled | sshd -T |
| Firewall | Firewall active | ufw status / firewall-cmd --state |
| Updates | No pending security updates | apt list --upgradable 2>/dev/null |
| Accounts | No empty password accounts | awk -F: '($2==""){print $1}' /etc/shadow |
| Accounts | No extra uid=0 accounts | awk -F: '($3==0){print $1}' /etc/passwd |
| File Perms | Find SUID/SGID executables | find / -perm /6000 -type f 2>/dev/null |
| Network | Check listening ports | ss -tlnp |
| Processes | Find suspicious processes | ps aux |
| Cron | Audit all crontabs | for u in $(cut -f1 -d: /etc/passwd); do crontab -u $u -l 2>/dev/null; done |
| SELinux/AA | MAC enabled | getenforce / aa-status |
| auditd | Audit daemon running | systemctl is-active auditd |
CIS Benchmark: CIS (Center for Internet Security) publishes detailed Linux security hardening benchmarks (CIS Benchmark for Ubuntu/RHEL/Debian), divided into Level 1 (baseline, production-ready) and Level 2 (strict, may impact functionality). Run through the CIS Benchmark before delivering a new system — lynis automatically annotates CIS reference numbers. Download at: cisecurity.org/cis-benchmarks.
Previous
← Ch14: Performance
Next
Ch16: Containers →