Linux - Hardening

The following Linux distributions can be hardened during provisioning:

• Debian starting version 11 and 12

• Ubuntu starting version 22.04 and 24.04

• Oracle Linux starting version 9

Recommandations from the CIS Benchmark documents have been following in order to enforce, harden and secure our Linux operating systems.

Filesystems

• Some weak filesystems are disabled in the kernel

• Separate mount points for very active filesystems: /var/log, /var/log/audit, /var/tmp

• Protection of /var/log, /tmp and /var/tmp

• Disabling removable storage

Secure boot

• Ensure root password is required to boot in rescue mode

Sudo usage

• Tracing of every usage of sudo command

Process hardening

• Several parameters are activated in kernel to protect running processes

Network

• Unnecessary or weak network services are disabled (enforced by configuration manager)

• Ensure time service is configured and active

• IPV6 is disabled

• Several kernel parameters are set to protect network

• Disable uncommon network protocols

Logging

• Centralization of system logs

• Ensure that every event is logged

Access and Authentication

• Ensure cron service is active and configured

• Ensure cron directories are protected

• Ensure ssh is active and configured

• Force ssh secure protocols and parameters

• Ensure idle sessions deactivation

• Ensure strong password rules are applied

• Ensure sensitive authentication files are protected