Linux Hardening: Security Baselines and Automation

It was 2:00 AM when a junior admin spun up an unpatched, default-configured VM in production. By 6:00 AM, it was cryptomining. The problem wasn't malice—it was the absence of a security baseline. If your hardening strategy depends on humans remembering checklists, you've already lost. Let's fix that.

Why Baselines Matter More Than Checklists

A security baseline is not a PDF someone bookmarked two years ago. It's a codified, enforceable, measurable standard that every Linux system must meet before it touches a network. Without one, you get configuration drift—the slow, silent divergence of systems from a secure state that makes incident response a nightmare and audits a bloodbath.

The industry gold standard is the CIS Benchmark for your distribution (RHEL, Ubuntu, SLES). It provides two profile levels: Level 1 (practical, minimal impact) and Level 2 (defense-in-depth, potentially disruptive). Start with Level 1. Get it automated. Then tighten.

Assessing Your Current State

Before automating anything, audit where you stand. OpenSCAP is the tool most enterprises underutilize:

# Install on RHEL-based systems
sudo yum install -y openscap-scanner scap-security-guide

# Run a CIS benchmark scan
sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --results /tmp/cis-results.xml \
  --report /tmp/cis-report.html \
  /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Open that HTML report. You'll likely see a failure rate between 40-60% on default installations. That gap is your attack surface.

The Critical Hardening Controls

While every environment is different, these controls consistently deliver the highest security ROI:

1. Filesystem and Partitioning

Mount /tmp, /var, and /var/log on separate partitions with restrictive options:

# /etc/fstab entry
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

The noexec flag alone kills a massive class of post-exploitation techniques that drop payloads to /tmp.

2. SSH Hardening

Default SSH configurations are dangerously permissive:

# /etc/ssh/sshd_config.d/hardening.conf
PermitRootLogin no
MaxAuthTries 3
PasswordAuthentication no
AllowAgentForwarding no
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
AllowGroups ssh-users

3. Kernel Parameters

# /etc/sysctl.d/99-security.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0

4. Audit Logging

If you aren't logging privileged commands, you're flying blind:

# /etc/audit/rules.d/privileged.rules
-a always,exit -F arch=b64 -S execve -F euid=0 -k root_commands
-w /etc/passwd -p wa -k identity_changes
-w /etc/sudoers -p wa -k sudoers_changes

Automating Enforcement with Ansible

Manual hardening doesn't scale. Use the ansible-lockdown roles maintained by MindPoint Group, which directly implement CIS benchmarks:

# playbook.yml
- hosts: all
  become: yes
  roles:
    - role: RHEL9-CIS
      vars:
        rhel9cis_level_1: true
        rhel9cis_rule_5_2_4: true # SSH PermitRootLogin
        rhel9cis_rule_1_1_2_1: true # /tmp partition

Run it nightly against your fleet. Drift gets corrected automatically. Every execution produces a log that satisfies your auditor.

Building a Continuous Compliance Loop

The mature model looks like this:

1. Define → CIS Benchmark profile tailored to your environment
2. Enforce → Ansible playbooks in CI/CD pipelines and scheduled runs
3. Validate → OpenSCAP scans feeding results into your SIEM
4. Report → Automated compliance dashboards for leadership and auditors

Integrate OpenSCAP results into Splunk or Elastic by shipping the XML output, giving your SOC team real-time visibility into baseline compliance across every host.

Final Thought

Hardening isn't a project with a completion date—it's a property of your infrastructure pipeline. Treat your security baseline like application code: version-controlled, peer-reviewed, tested, and continuously deployed. The organizations that get breached aren't the ones lacking firewalls. They're the ones with 200 servers and 200 different configurations.

Have questions about linux hardening: security baselines and automation? I'm always happy to talk shop — reach out or connect with me on LinkedIn.