Hardening a Linux client system to an acceptable degree is a time-consuming process, one that demands familiarity with a broad set of configuration parameters, framework recommendations, and the reasoning behind each control.
This post introduces our new Linux client hardening guide (MD, PDF), a comprehensive, publicly available hardening reference for Linux systems.
Motivation and Scope
The guide covers the full breadth of controls needed to significantly raise the security posture of a modern Linux installation while preserving operational usability (this will be very subjective, the guide reflects my opinion of “usable”). It has been developed and validated against Ubuntu 24.04 LTS as the primary reference platform, and cross-tested on Fedora, Debian 12, and Arch Linux as well as on traditionally server-oriented distributions like openSUSE Leap 15.6, Debian 12, Rocky Linux 9, and Red Hat Enterprise Linux 9 while not focussing on those as the guide is created for Linux clients.
All controls are written against POSIX-compliant tooling and are broadly applicable across modern distributions.
Where distribution-specific syntax or availability differs meaningfully, notes are provided. Platform-specific gaps, such as the absence of AIDE from default repositories on certain distributions, are documented where applicable. Recommended settings are marked mandatory unless explicitly optional.
Structure
The guide is organized into six domains, each addressing a distinct layer of the system security posture.
Authentication & Identity Management addresses the controls that form the first line of defense against unauthorized access. It covers areas such as password policy enforcement, account lockout, and administrative privilege management, establishing a secure-by-default authentication baseline applicable to both server and workstation environments.
Network Security & Services focuses on reducing the network-exposed attack surface of a Linux system. Beyond firewall configuration, this domain examines how legacy protocols, insufficiently restricted local services, and misconfigured kernel network parameters each contribute meaningfully to that surface, and how to address them systematically.
System Boot & Integrity Security follows the chain of trust from firmware through bootloader to running kernel. It covers controls ranging from UEFI Secure Boot verification to CPU microcode updates, acknowledging that several classes of hardware-level vulnerability cannot be fully mitigated at the software layer alone.
OS Hardening addresses attack vectors at the operating system layer that persist independently of network exposure, including physical access risks, memory disclosure through core dumps, and privilege escalation through environment manipulation.
File System & Permissions treats the filesystem itself. The domain examines how default permissions, mount options, and the presence of world-writable or unowned files each create footholds for local privilege escalation, and provides controls to close them systematically.
Application Security & Logging covers the security posture of core system services and the audit infrastructure that makes all other controls verifiable. Without tamper-evident logging and service confinement, the effectiveness of controls applied elsewhere in the stack cannot be reliably established.
Cheers!
Niklas
See also relating white papers and resources by ERNW:
- ERNW White Paper 75: macOS Tahoe Hardening Guide
- ERNW White Paper 76: Linux Client Hardening Guide
- ERNW Hardening GitHub Repository
- Setting up Secure Boot on Gentoo Linux
- BSI Publishes Windows 10 SiSyPHuS Reports: Application Compatibility Infrastructure, Microsoft Defender Antivirus ETW Usage and Device Setup Manager Service
Want to learn more how to secure your infrastructure & systems? Get trained by experts at #TROOPERS26!