New: Automated Security Hardening

System security starts here.

Whether you aim to deepen your understanding of security principles or need to quickly deploy configurations, we provide the ultimate resource.

Our Journey

Transforming complex tasks into one-click operations.

We set out to create an automated, verifiable, and user-friendly framework to simplify Linux security configuration.

Project Objectives

Building an automated, verifiable, and user-friendly framework.

Automated Toolkit

An open-source shell script based on CIS security benchmarks. Users simply run the script to automate the rigorous hardening process of target Linux distributions.

PyScan Validator

A full-featured CLI tool that remotely scans hardened servers, checks settings against predefined baselines, and generates detailed compliance reports.

Educational Guide

An interactive web tutorial explaining the technical principles behind each setting, providing clear, actionable instructions for using our developed tools.

The Real-World Impact

Operational Efficiency

Our automated tools significantly reduce the time and manpower required to harden servers. This enables IT and security teams to deploy secure systems rapidly, drastically reducing costs and mitigating human error while allowing teams to focus on strategic security tasks.

Skill Development

Serving as a practical educational resource, our open-source code and documentation provide a real-world example of "security as code." We help learners and students practice modern security automation technologies, promoting deep knowledge dissemination.

Linux Hardening Academy

Learn the technical principles behind System Hardening, the CIS Benchmarks, and how to effectively reduce the attack surface of your server.

Methodology

Best Practices
Benefits & Limitations

What is System Hardening?

System hardening is the process of securing a computer device by reducing its attack surface and strengthening its defenses against threats and vulnerabilities. It entails implementing numerous security features, configurations, and best practices to shield the system from unauthorized access and cyber attacks.

Types of System Hardening

Server Hardening

Securing the ports, data, permissions, and functions of a server. Practices include using robust passwords, imposing multi-factor authentication, and disabling USB ports.

Software Application Hardening

Securing the packages deployed at the server. Common practices include using antivirus, malware protection programs, and establishing intrusion detection systems.

Operating System Hardening

Securing a system's own running OS. A common practice is uninstalling unnecessary device drivers and software to minimize potential entry points.

Network Hardening

Securing the communication channels. This involves configuring firewalls, encrypting network traffic, and establishing intrusion detection systems.

Approaches & Best Practices

System hardening is a detailed and important process for maintaining strong security. The exact steps vary depending on the system’s configuration and complexity. Several key strategies are commonly used:

Network Segmentation: Dividing a large network into smaller, isolated segments that are easier to monitor and control.
Intrusion Prevention: Continuously scanning the network for suspicious activity and automatically blocking or stopping threats when they are detected.
Encryption: Protecting data by converting it into an unreadable format so that only authorized users can access it.

Key Recommendations

Regular Patch Management

Apply security updates and patches to the operating system, applications, and firmware as soon as they become available.

Disable Unnecessary Services

Turn off any features, services, or protocols that are not required for normal operations to shrink the attack surface.

Strong Authentication & Least Privilege

Use multi-factor authentication (MFA) to add an extra layer of protection. Give users and administrators only the minimum level of access they need to do their jobs.

Firewall Configuration

Set up firewalls to filter both incoming and outgoing traffic according to strict, predefined rules.

Benefits & Limitations

System hardening significantly reduces the chances of successful attacks by closing off vulnerabilities before they can be exploited. It makes the system more resilient and harder for unauthorized individuals to penetrate. The process also helps identify and correct misconfigurations, removes unnecessary software, and simplifies auditing and maintenance.

Primary Benefits

Enhanced Performance: Removing unused components and tightening configurations often leads to better system efficiency.
More Secure Environment: A hardened system has fewer exposed weaknesses, making it far less vulnerable to cyber-attacks.
Simplified Compliance: With fewer programs and services running, auditing and meeting regulatory requirements become much easier.
Vulnerability Mitigation: Regular patching and updates directly address documented security flaws in software and firmware.
Prevention of Unauthorized Access: Strong controls and restrictions make it much harder for attackers to gain entry.

Key Limitations

Complexity and Overhead: The process can be time-consuming and technically demanding. Some security measures may also add performance overhead.
Potential for Disruption: Changes to configurations or security settings can temporarily affect normal operations, applications, or services.
Alert Fatigue: Increased logging and monitoring can generate a high volume of alerts, which may overwhelm security teams if not properly managed.

The CIS Framework

System hardening standards are established guidelines that organizations must follow for all their systems. Most standards cover essential areas such as OS patching and updates, physical security, data encryption, access controls, backups, auditing, and monitoring. Common organizations include the National Institute of Standards and Technology (NIST) and Center for Internet Security (CIS).

CIS Benchmarks provide detailed hardening guidance for a wide range of platforms, including Windows Server, VMware, Linux distributions, and network appliances. The benchmarks themselves are freely available to the public, but the official configuration templates, automation scripts, and related tools are only accessible to members of the paid CIS SecureSuite program.

Configuration Profiles

Level 1 Profile

This is the basic, recommended starting point. It can be implemented relatively quickly and is designed to have minimal impact on system performance or usability. The main goal is to reduce the organization’s attack surface while keeping systems fully functional for day-to-day business operations.

Level 2 Profile

This represents a “defense-in-depth” approach and is intended for environments where maximum security is critical. Because its recommendations are more restrictive, they can potentially disrupt operations if not applied carefully and with proper planning.

STIG

STIG Profile

This replaced the earlier Level 3 profile. It includes all recommendations that align with Security Technical Implementation Guides (STIGs). It naturally overlaps with relevant items from the Level 1 and Level 2 profiles.

Important Note: Every recommendation in a CIS Benchmark belongs to at least one profile. No matter which profile you choose to follow, it is strongly recommended to first test the settings in a non-production environment to evaluate any potential impact before rolling them out.

Scope of the CIS Benchmarks 24.04

The CIS Benchmarks for Ubuntu 24.04 are rigorously structured into seven primary domains. Each section targets specific operational layers to systematically reduce the server's attack surface.

Initial Setup

Focuses on foundational OS security. This affects core resilience by configuring secure filesystem partitions (like `/tmp` and `/var`), enforcing Mandatory Access Control (AppArmor), securing the bootloader, and disabling unused kernel modules to prevent exploitation.

Services

Aims to minimize vulnerability points by ensuring unnecessary server and client services (e.g., FTP, DHCP, NIS) are not in use. It also affects essential background operations by securing time synchronization (systemd-timesyncd or chrony) and tightening job schedulers like cron and at.

Network

Hardens network communications directly at the kernel level. This section impacts how the system handles routing and packet modification by disabling IP forwarding, ignoring bogus ICMP responses/redirects, and disabling obscure network protocols (like DCCP or SCTP) to prevent network-based attacks.

Host Based Firewall

Ensures that a single, active firewall utility (such as UFW, nftables, or iptables) is properly configured. This affects overall accessibility by enforcing a strict "default deny" firewall policy and ensuring explicit rules exist for all open ports.

Access Control

Governs authentication and authorization mechanisms. This deeply affects the SSH server (restricting root logins, setting timeouts). It also secures privilege escalation by restricting `sudo` and configures Pluggable Authentication Modules (PAM) to enforce strong password complexity and history rules.

Logging and Auditing

Guarantees that system activities are recorded and protected from tampering. This affects system logging via `journald` and `rsyslog`, and establishes comprehensive `auditd` rules to track file modifications, privilege use, and login events. It also enforces file integrity checking mechanisms like AIDE.

System Maintenance

Maintains ongoing operational security by auditing local user and group settings. This affects system hygiene by enforcing strict file permissions on critical system files (like `/etc/passwd` and `/etc/shadow`), ensuring no duplicate accounts exist, and validating environment configurations.

Knowledge Check

Test your understanding of the concepts above. A random set of 5 questions will be chosen.

Score:

Quiz Complete!

You scored out of .

Step 1: Introduction & Requirements

Welcome to the Ubuntu Hardening Script guide. Before proceeding, ensure your target environment meets the strict prerequisites required to execute the framework safely.

System Requirements

Ubuntu Linux 24.04 LTS
Root/sudo privileges
Bash shell environment

Step 2: Core Architecture

Once extracted, the toolkit contains specific files and directories required for execution, reporting, and recovery. Note: The SECTION_X_DETAILS.md files include deep-dive details for each configuration section.

cis_hardening.sh

The primary executable script that orchestrates the hardening process.

config.env

The master configuration file. Auto-created if missing on first run.

report/

Output directory containing the generated CSV compliance reports.

backup_temp/

Houses temporary backup files. Compressed to a tar.gz archive upon completion.

Directory Structure

Step 3: Configuration & Logging

You can customize the script's behavior by editing the config.env file. Below are the default environmental variables you can adjust to fit your infrastructure.

REPORT_DIR="report"

Defines the report output directory (relative to script path).

BACKUP_TEMP_DIR="backup_temp"

Defines the temporary storage for pre-modification backups.

LOG_FILE="/var/log/cis-hardening.log"

The absolute path where execution logs are written.

Step 4: Backups & Reports

Backup Mechanism

Before any system changes are applied, all targeted configuration files are copied. Once processing is complete, the backup directory is compressed into an archive.

Default Storage: backup_temp/TIMESTAMP.tar.gz

CSV Generation

The script outputs detailed CSV files post-execution. The columns include:

Section: The CIS ID (e.g., '1.1.1.1','5.1.6').
Status: SKIPPED, FIXED, FAILED, VERIFY_FAILED, DRY-RUN, or **PASS**.
Timestamp: Exact time of processing.
Details: Additional outcome information.

Step 5: Installation

Follow these instructions to safely install the product onto your system environments.

Download the Hardening Toolkit

Enter the following command in your Ubuntu terminal to download the toolkit:

curl -O https://auto-harden.shlave.com/auto-harden.zip

Extract the Files

Install the unzip tool (if not already installed) and extract the downloaded file:

sudo apt-get install unzip -y
unzip auto-harden.zip
cd auto-harden

Grant Permissions and Execute

Grant execution permissions to the script and run the hardening process:

chmod +x cis_hardening.sh
sudo ./cis_hardening.sh

Step 6: Execution Modes

The script offers versatile run parameters. Note: Dry-run and Verify-only modes cannot be combined in a single execution. Verify-only mode does not generate backups.

Standard Run (Specific Sections)

sudo bash cis_hardening.sh 1,3,5

Applies hardening to sections 1, 3, and 5. Backups are created and scripts continue even if one section fails.

Dry-Run Mode

sudo bash cis_hardening.sh --dry-run 1,3,5
# or using shorthand
sudo bash cis_hardening.sh -d 1,3,5

Previews changes in the console without actually applying them to the system files.

Verify-Only Mode

sudo bash cis_hardening.sh --verify-only 1,3,5
# or using shorthand
sudo bash cis_hardening.sh -v 1,3,5

Performs compliance checks and generates a CSV report without modifying system configurations.

Access Documentation

bash cis_hardening.sh --help

Step 7: Demonstration Video

Let's start a
conversation.

shlave.yp@gmail.com

GitHub Repository