Do you really need to harden a Linux system? What is important to bear in mind during implementation? And what challenges do you have to overcome so that hardening can really be realised sustainably? Here are the answers.
Why should you harden Linux?
For a long time, Linux was considered a particularly secure operating system. Compared to Windows, it seemed to be less susceptible to malware and cyber attacks, which was attributed to its open source character, strict rights management and active developer community, among other things. But those days are long gone!
Modern attack techniques, complex software dependencies and ever larger system landscapes have shown that even Linux systems are not secure per se. Prominent incidents such as the security gap in OpenSSL (Heartbleed bug) or the vulnerabilities in Sudo and Polkit/PolicyKit have proven that widespread and well-tested Linux components are vulnerable.
A particularly serious example was the Log4j vulnerability at the end of 2021, which was described as the ‘biggest vulnerability in the history of computing’. This allowed attackers to execute arbitrary code via simple requests – with global effects on millions of servers, including many Linux systems.
👉 To summarise: Like Windows systems, the various Linux derivatives have numerous attack surfaces and vulnerabilities that can be exploited. They should therefore be protected – among other things through System Hardening.
Linux Hardening: What community solutions are available?
Is Linux hardening a ‘nice to have’? In the private sector, you could say: yes.
👉 But if a Linux system is used in a company, it absolutely must be hardened – especially in sensitive business areas. Anyone who fails to do so is acting with gross negligence. In the worst case, you risk a cybersecurity incident, which can have extremely expensive consequences.
According to the IBM study ‘Cost of a Data Breach’, the average cost is around 5 million dollars. In the worst-case scenario, the existence of the entire company can be jeopardised. ‘One in five companies has already been on the brink of insolvency following a cyber attack,’ says ESET.
The Linux community has therefore developed various security solutions. These include the following:
Linux Hardened Kernel
Protects against exploits such as buffer overflows and memory errors using techniques such as ASLR and CFI.
SELinux (Secure Enhanced Linux)
Enforces fine-grained access controls and prevents unauthorised access – even for compromised processes. As SELinux was developed by Red Hat and the NSA, it is mainly found on Red Hat, SUSE and related distributions.
AppArmor
Similar to SELinux, typical for Debian and Ubuntu. The configuration is somewhat more sophisticated and is based on profiles that restrict access to programmes or files.
Auditd
Records security-relevant events and helps to detect suspicious activities such as the execution or reading of unauthorised files at an early stage. Auditd is not hardening in the strict sense, as it logs activities from unauthorised activities anyway!
The big BUT: Why the solutions are not solutions
👉 As useful as these tools may seem, it must be clearly stated: They alone are not enough to comprehensively harden a Linux system!
Many of the possible measures improve security through monitoring, access restrictions or memory management mechanisms, but do not sufficiently reduce all potential attack surfaces.
In addition, solutions such as AppArmor or SELinux do not follow any established standard. While security guidelines such as the CIS Benchmarks, NIST 800-53 or ISO 27001 provide clear specifications for the Secure Configuration of a system (the hardening), the tools of the Linux community are more like building blocks. They still need to be configured individually and combined with other solutions.
👉 Consistent System Hardening always requires a comprehensive security concept that is based on proven standards!
One example: The CUPS security vulnerability which was discovered in September 2023. Even if the kernel is comprehensively protected against exploits, an open printer service remains an ‘invitation’ for attackers. This vulnerability shows once again that applications or services that are unnecessarily publicly accessible often pose the greatest security risk. The Center for Internet Security (CIS) therefore strongly recommends deactivating or uninstalling CUPS.
The biggest problems with Linux Hardening
Implementing effective Linux System Hardening is often more difficult than expected. The challenges include:
🛑 Distributed configurations
Windows has a centralised registry. With Linux, however, the security settings are distributed across many files and directories. This leads to a great deal of effort.
🛑 Different distributions
Security mechanisms and standard configurations vary between Ubuntu, Red Hat Enterprise Linux, Debian and other Linux operating systems, which makes standardised hardening difficult.
🛑 Multiple packages for security-related tools
Every Linux expert knows these questions: ‘Do I use ufw, nftables or iptables directly for my firewall? What do I use for my time synchronisation – chrony, systemd-timesycd?’ Unfortunately, each solution has its own syntax.
🛑 Security updates and dependencies
Many vulnerabilities are not caused by the kernel itself, but by outdated software packages or incorrect configurations.
What you need to think about when hardening Linux (Servers)
If the introduction of Linux infrastructures is not massively standardised and automated, the resulting world of Linux derivatives, services and various configurations of actually identical services can only be ‘captured’ again with great effort.
In the context of system hardening, questions such as these then arise:
-
- Which distribution is used?
- Is everything on one partition?
- Or should /var, /home, /tmp be mounted separately?
- Who installs the updates and when?
- Which firewall implementation is used?
- How should the NTP service be configured?
- How are logging settings to be configured?
- How do which (centrally managed) user accounts get ‘sudo’ rights?
Do you have further questions? Contact us!
Are there System Hardening recommendations for Linux?
Or to put it another way: What do the manufacturers say? A good question, because: ‘Linux manufacturers’ are, depending on the distribution, individuals, small groups, associations or larger companies. There is therefore no central spokesperson. Generally valid recommendations are therefore difficult to find.
However, you can study these guides:
✅ A security overview is available for Arch Linux
✅ On debian.org you can find the ‘Debian Security Handbook’
✅ The ‘Security and Hardening Guide’ is available for SUSE Linux Enterprise
Recommendations from organisations such as DISA, CIS, BSI & Co., which we generally recommend for Windows system hardening, can of course also be found online. Here are three examples:
✅ CIS: Debian Linux Benchmarks
How good are pre-hardened Linux systems?
Some Linux distributions such as Red Hat Enterprise Linux (RHEL) and Ubuntu (Canonical) are already equipped with preconfigured security measures to ensure ‘basic hardening’. These include these security elements, among others:
Red Hat Enterprise Linux
-
- SELinux is enabled by default and enforces strict access controls.
- Kernel Hardening such as Stack Canaries, ASLR (Address Space Layout Randomisation) and NX-Bit to protect against exploits.
- Systemd sandboxing for many system-related services to minimise attack surfaces.
- FIPS mode (Federal Information Processing Standards) for cryptographic security in accordance with US authority standards.
- SCAP Security Guide (SSG) for automated adherence to compliance requirements (e.g. CIS, DISA STIGs).
Ubuntu (Canonical)
-
- AppArmor as a standard MAC solution (Mandatory Access Control) for limiting process rights.
- Unattended upgrades, which ensure that security-critical updates are installed automatically.
- Live patch service for kernel patches without rebooting (particularly relevant for servers).
- Minimal standard installation to reduce the attack surface from the outset.
- UEFI Secure Boot to ensure that only signed code is loaded at system startup.
In view of the multitude of security tools, predefined guidelines and special settings, you might think that Linux systems are completely secure today. But this is a fallacy!
Even if a distribution is delivered with a hardened kernel, restrictive access rights and a secure SSH configuration – who can guarantee that this state will still exist after two months or even five years? So there are these fundamental problems:
🛑 Drift of the system configuration
Updates, new software installations or manual interventions can unintentionally soften Security Configurations.
🛑 Lack of monitoring
Many Linux security solutions rely on initial hardening or one-off audits without recognising and correcting deviations on an ongoing basis.
🛑 No consistent standardisation
There is no universal solution that ensures that a system fulfils all known benchmarks (CIS, DISAC, etc.).
How well is your Linux hardened? Take the test!
If you want to properly harden your Linux (Server) system, you should first determine the status quo. The aim is to clarify this: How secure is your operating system already hardened? What optimisation potential is there? Where is there a great need for action? The free AuditTAP answers these questions.
With AuditTAP, you can carry out hardening checks for all common Windows and Linux systems. During each audit, all settings are intensively checked against the specifications of CIS and Co. You receive a detailed report as a result. The AuditTAP report then shows you how well your Ubuntu, Debian, Red Hat or SUSE system is hardened.
Does your Linux Hardening have significant deficiencies? Then you should carry out professional System Hhardening. This involves not only closing ‘small’ attack surfaces such as the CUPS gaps, but also adjusting hundreds of settings – for each system! Do you want to do this manually? In large, heterogeneous IT landscapes with dozens or even thousands of clients and servers, this is extremely time-consuming.
To reduce this effort, we recommend using a hardening tool such as Enforce Administrator. This allows you to configure and manage your Linux systems centrally and securely using simple PowerShell commands.
Your hardened systems are also monitored. If deviations occur because changes have been made accidentally or deliberately, Enforce Administrator automatically reverses them. This creates a kind of ‘self-healing system’.
Enforce Administrator: More information
Conclusion
System Hardening is not a succinct, singular task – neither for Windows, nor for Debian, Fedora, Ubuntu and other Linux systems! In addition to implementation, regular checking and monitoring of the settings is also important for the implementation of sustainable security configuration management. Use existing tools to make your work easier.
Do you have any questions about System Hardening, AuditTAP or Enforce Administrator? Contact us without any obligation!
Image: Freepik, FB Pro