Harden Linux, one domain at a time.

A complete, benchmark-aligned map of Linux server and workstation hardening — from SSH and the kernel to auditing and compliance. Pick a domain and work through it.

Explore the map Browse all guides

The hardening map

Twelve domains that together cover the attack surface of a Linux system. Start anywhere — each links to focused, copy-pasteable guides.

Access & Authentication

Lock down SSH, PAM, sudo, and multi-factor authentication.

1 guide

Accounts & Privileges

Enforce least privilege across users, groups, and password policy.

1 guide

Network & Firewall

Filter traffic with nftables and tune network sysctls.

1 guide

Kernel Hardening

Restrict the kernel: sysctls, modules, and lockdown.

1 guide

Filesystem & Permissions

Mount options, permissions, SUID/SGID, and file integrity.

1 guide

Services & systemd

Shrink the attack surface and sandbox systemd units.

1 guide

Mandatory Access Control

Confine processes with SELinux or AppArmor.

1 guide

Logging & Auditing

Capture and review events with auditd and journald.

1 guide

Updates & Packages

Patch fast and trust your package sources.

1 guide

Boot & Physical Security

Protect the boot chain: GRUB, Secure Boot, and disk encryption.

1 guide

Intrusion Detection

Detect tampering with AIDE, fail2ban, and rootkit scanners.

1 guide

Compliance & Benchmarks

Measure against CIS, ANSSI-BP-028, and STIG with Lynis.

1 guide

Latest guides

Audit Linux Hardening with Lynis, CIS & OpenSCAP

Measure Linux hardening with CIS Benchmarks, DISA STIG and ANSSI-BP-028 using Lynis and OpenSCAP, then automate and track remediation.

6/3/2026

lyniscis-benchmarkopenscapcompliance

Intrusion Detection on Linux with AIDE and fail2ban

Detect breaches early with file integrity monitoring (AIDE), brute-force protection (fail2ban), and rootkit scanners as part of defense in depth.

5/27/2026

aidefail2banidsfile-integrity

Boot & Physical Security: GRUB, LUKS, Secure Boot

Harden the Linux boot chain against console access, stolen disks and evil-maid attacks with GRUB passwords, LUKS encryption and Secure Boot.

5/20/2026

bootgrubluksencryption

Automatic Security Updates on Linux

Keep Linux patched automatically with unattended-upgrades and dnf-automatic, trusted repositories, and a reduced package surface.

5/13/2026

updatespatchingpackagesapt

Auditd & Journald: A Logging Baseline

Build a tamper-resistant logging baseline on Linux with persistent journald, the auditd framework, sensitive-file watches, and off-host log shipping.

5/6/2026

auditdjournaldloggingmonitoring

SELinux & AppArmor: Confining Linux with MAC

Add Mandatory Access Control to Linux with SELinux and AppArmor. Keep SELinux enforcing, read denials, and fix policy instead of disabling it.

4/28/2026

selinuxapparmormacconfinement