Also of note, automating these sorts of checks are a lot easier than you'd expect. There's InSpec and the Linux baseline profile already built for it, and you can pretty easily write your own. No agent, nothing on the target server(s) except SSH and some basic tools that are probably already installed.
Blew my mind the first time I saw I could run a report and iterate through a fleet of servers with it.
I knew about automatization (mostly for monitoring purpose) but I didn't know about InSpec! I will give it a try, thanks!
Nice post about encryption. But there is a lot more to hardening systems. For further reading I would suggest checking out the CIS Benchmarks - cisecurity.org/cis-benchmarks/, or the Department of Defense Security Technical Implementation Guide (STIGs) - public.cyber.mil/stigs/. Both are based on the National Institute of Standards and Technology (NIST) guidance - nist.gov/.
Thanks for this article, Paula! I mostly write application-level code, so infrastructure reliability/security good practices is not something I'm so familiar with. I'm really glad I happened upon your article today!
Paula, thanks so much for writing this! I learned a lot and the way you provided examples was very helpful.
Thank you! I'm glad you enjoyed!
Another tool that you might help with your Linux hardening quest is Lynis. The FOSS project exists since 2007 and is still maintained.
Thanks for nice article! Some other things to mention is selecting distributions which use SELinux (e.g. CentOS) or hardening kernel with grsecurity patches (relevant mainly to Debian-Testing).
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.