Guides

Measure Linux hardening with CIS Benchmarks, DISA STIG and ANSSI-BP-028 using Lynis and OpenSCAP, then automate and track remediation.

Detect breaches early with file integrity monitoring (AIDE), brute-force protection (fail2ban), and rootkit scanners as part of defense in depth.

Harden the Linux boot chain against console access, stolen disks and evil-maid attacks with GRUB passwords, LUKS encryption and Secure Boot.

Keep Linux patched automatically with unattended-upgrades and dnf-automatic, trusted repositories, and a reduced package surface.

Build a tamper-resistant logging baseline on Linux with persistent journald, the auditd framework, sensitive-file watches, and off-host log shipping.

Add Mandatory Access Control to Linux with SELinux and AppArmor. Keep SELinux enforcing, read denials, and fix policy instead of disabling it.

Enumerate, disable, score and sandbox systemd units with drop-ins to shrink the attack surface of every Linux service you run.

Harden Linux filesystems with nodev/nosuid/noexec mount options, audit SUID/SGID binaries, fix world-writable files, and tighten permissions on sensitive paths.

Harden the Linux kernel with sysctl tunables, module blacklisting, and lockdown mode. Practical /etc/sysctl.d and modprobe.d examples with verification.