trimstray/the-practical-linux-hardening-guide

This is a guide for making Linux servers more secure, written as a practical reference rather than an official standard. Hardening refers to the process of reducing a system's attack surface by changing default settings, disabling unnecessary services, tightening access controls, and configuring the system to follow recognized security benchmarks. Out of the box, a Linux server is set up for convenience and broad compatibility, not for security, so there is real work involved in tightening it down. The guide is structured around industry-recognized compliance frameworks rather than informal advice. The main references are the Center for Internet Security benchmarks and the DISA STIG specifications, both of which are widely used in government and enterprise environments. Following these standards is shown to address 80 to 95 percent of known vulnerabilities in a typical configuration. The guide also references NIST 800-53 and PCI-DSS for readers working in regulated industries. For actually applying the checks, the guide uses OpenSCAP, a tool that can automatically scan a system and report on which settings comply with a chosen policy and which do not. Several OpenSCAP configurations are referenced, tuned for Red Hat Enterprise Linux 7 and CentOS 7, which are the distributions this guide is tested on. Other distributions can use most of the same guidance even if the exact commands differ. Each section follows a consistent structure: a rationale explaining why a change matters, a solution aligned with a named policy, comments with practical context, and links to further reading. The guide covers areas like user account management, firewall configuration, software maintenance, and general principles such as avoiding running services as root and limiting installed software to what is actually needed.