[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Security Hardening Tool - /usr/bin/hardening-enable by security-misc

/usr/bin/hardening-enable

It can be used to easily opt-in everything advanced. For now it has these features:


/usr/bin/hardening-enable --ssh

[Hide Hardware Info]
Enabling enable hide-hardware-info.service by running ‘systemctl enable hide-hardware-info.service’…
Success.

[NOEXEC]
Enabling noexec by creating file /etc/noexec …
Success.

[LKRG - Linux Kernel Runtime Guard]
LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf …
Success.


Or.

/usr/bin/hardening-enable --nossh

[Hide Hardware Info]
Enabling enable hide-hardware-info.service by running ‘systemctl enable hide-hardware-info.service’…
Success.

[NOEXEC]
Enabling noexec by creating file /etc/noexec …
Success.

[LKRG - Linux Kernel Runtime Guard]
LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf …
Success.

[Console Lockdown]
Enabling Console Lockdown by removing user ‘user’ from group ‘ssh’.
Success.


Over time, we can make it opt-in other things which are easily scriptable, for example from this list:

2 Likes

It should disable TCP SACK/DSACK/FACK too.

1 Like

On a second thought, I should nuke this tool. Scripts are opaque. Better to create another configuration package. security-paranoid or so where everything goes that is not ready for being enabled by default.

1 Like
1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]