Security Hardening Tool - /usr/bin/hardening-enable by security-misc

/usr/bin/hardening-enable

It can be used to easily opt-in everything advanced. For now it has these features:

/usr/bin/hardening-enable --ssh

[Hide Hardware Info]
Enabling enable hide-hardware-info.service by running ‘systemctl enable hide-hardware-info.service’…
Success.

[NOEXEC]
Enabling noexec by creating file /etc/noexec …
Success.

[LKRG - Linux Kernel Runtime Guard]
LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf …
Success.

Or.

/usr/bin/hardening-enable --nossh

[Hide Hardware Info]
Enabling enable hide-hardware-info.service by running ‘systemctl enable hide-hardware-info.service’…
Success.

[NOEXEC]
Enabling noexec by creating file /etc/noexec …
Success.

[LKRG - Linux Kernel Runtime Guard]
LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf …
Success.

[Console Lockdown]
Enabling Console Lockdown by removing user ‘user’ from group ‘ssh’.
Success.

Over time, we can make it opt-in other things which are easily scriptable, for example from this list:

It should disable TCP SACK/DSACK/FACK too.

On a second thought, I should nuke this tool. Scripts are opaque. Better to create another configuration package. security-paranoid or so where everything goes that is not ready for being enabled by default.