Linux hardening guide: How does it work for Ubuntu, Debian, Fedora & Co.

Nobody is perfect – especially no operating system! Therefore, system hardening for Linux is also recommended. However, the implementation can be complex in corporate environments. This is what you should consider.

Why is it necessary to harden Linux?

Linux is often described as “secure” per se. A fallacy! Until now, there have been fewer attacks because the operating system is used less frequently than Windows, for example.

But now the wind has changed: Since Linux is “working under the hood” in more and more systems and thus also in a growing number of companies, the interest of cybercriminals in the OS is growing. As a study by Trend Micro shows, the number of Linux attacks is increasing significantly.

Hardening systems through appropriate system configuration is extremely important – and that includes Linux! If the open operating system is used in the business environment, you should definitely harden it. Especially if sensitive data is being processed!

The large community has recognized this, and various projects are taking up the topic. For example:

What is the challenge of hardening Linux?

There are some important differences with Linux compared to Windows that you need to consider. These are the most important aspects from our perspective:

“Write programs that do one thing and do it well”

Applications on Linux have (at least in UNIX philosophy ) fairly clear areas of responsibility. They are supposed to go little or not at all beyond that.

However, discussion often arises in the community about how something is “best” solved. This leads to fragmentation and forks. While this is important in principle as it provides for the intended “separation of powers”, it can make Linux complex to manage.

“Everything is a file”

Windows uses abstract centralized approaches such as group policies or the associated registry entries to set preferences. On the Linux side, the equivalent would be to make such settings via configuration files.

Due to the different approaches described above and the – in contrast to Windows – more or less fundamental degrees of freedom, there are often various implementations / names / formats for a service. These things make automation and Linux hardening very challenging.

Any questions? Contact us!

What are the consequences?

If there is no massive standardization and automation when introducing Linux infrastructures in a company, the world of Linux derivatives, services and various configurations of actually identical services can only be “recaptured” with great effort.

Questions like these then arise:

    • Which distribution is used?
    • Who installs the updates and when?
    • Which firewall implementation is used?
    • How is the NTP service to be configured?
    • How to configure logging settings?
    • Which (centrally managed) user accounts get “sudo” privileges?
    • Is the use of the “root” account forbidden?

Reading tip: These Arch Linux articles summarize other important basic ideas and questions.

Are there any hardening recommendations for Linux?

“Linux vendors” are an individual, small groupings, associations, or larger companies (depending on the distribution). Even if you only look at the core of Linux (the “kernel”), there is no central “spokesperson”. General recommendations are therefore hard to find.

However, there are already good handouts to secure a Linux distribution. Here are some examples:

Recommendations from organizations like DISA, CIS, BSI & Co. that we usually recommend for Windows system hardening can of course also be found on the net for a secure Linux.

Linux hardening audit: How hardened is your Linux?

If you want to subject Ubuntu, Debian or Fedora to system hardening, you first need to determine the status quo. That is, how well have you hardened or securely configured your Linux so far?

Since version 5.0, the free Audit Test Automation Package (AuditTAP for short) has offers a “Security Base Data” report for the most common Linux variants. And for individual distributions, for example for Ubuntu and Debian, there are “real” hardening checks.

Ubuntu hardening: Secure your Ubuntu with a plan!

There is one exception since the release of AudiTAP 5.6: From this version on it is possible to generate a complete hardening report for Ubuntu 20.04 and Ubuntu 22.4. This report is based on the CIS benchmarks for Ubuntu (“CIS Ubuntu 1.1.0”).

Such an audit report then looks like this, for example:

Excerpt of how the new Hardening Report based on the CIS benchmarks for Ubuntu 20.4 looks in AuditTAP 5.6. (Click on the image to see a larger version)
Excerpt of how the new Hardening Report based on the CIS benchmarks for Ubuntu 20.4 looks in AuditTAP 5.6. (Click on the image to see a larger version)

Our tip: Use the findings of the hardening audit to secure and “harden” your Ubuntu! Afterwards, attackers will have a much harder time to compromise your system and cause damage.

Using PowerShell as a Linux fan – isn’t that a no-go?

To use AuditTAP, you have to work with PowerShell, which is a Windows application. Are you now wincing because you have sworn off the Microsoft world? Then you should realise the advantages of PowerShell:

    • In mixed environments, PowerShell allows you to create scripts that run on all systems.
    • With PowerShell, Windows servers and services can be managed remotely. This is particularly useful when you need to access a Windows server from a Linux system – for example, for OS Hardening.
    • While in Linux text output is passed on via pipes, with Powershell these are objects on which you can continue working. This approach allows for more complex and precise data manipulation and processing. This is an exciting alternative even for experienced “bashers”!
    • Cloud services like Microsoft Azure offer management with PowerShell – even for Linux VMs!

And let’s admit it as it is: Even die-hard Linux users sometimes work with Windows, whether professionally or privately. So it makes sense to use a shell to get everything out of the operating system – the Microsoft application is not called “PowerShell” for nothing!

Are you still not convinced? This video shows you how easy it is to install and use AuditTAP with PowerShell:

Linux OS hardening: More than just applying a script!

System hardening is not a one-time task. Not for Windows users, neither for Debian, Ubunto, Fedora or other Linux users!

For the implementation of a Security Configuration Management, besides the implementation, the regular control and monitoring of the settings is equally important.

This is what we want to support. Our mission is therefore: Not only Windows systems have to be hardened professionally, but also Linux!

We approach this mission step by step. Therefore we will regularly update this post and enrich it with new information to clearly describe the hardening of Ubuntu, Debian and Co. for enterprises. Stay tuned!

Do you have any questions about system hardening or AuditTAP? Contact us without any obligation!

Contact us!

Image: Freepik

Leave a Reply