Are security hardening guides still useful?

This was the big question we asked ourselves recently, when reading a few of them. With Linux and other Unix systems being decently hardened by default, would it still make sense to invest a lot of time to harden your system?

Hardening guides

Years ago both Windows and Linux were easy targets. A lot of system software was installed by default and these services were targeted often by malicious people and scripts. Then hardening guides came along on how to secure these services and protect systems.

Minimal installation

After hardening guides used to be a normal practice, vendors were forced to deliver at least an option to use a “clean” installation. That is, an installation with the bare minimum installed. Under Linux these kind of installations were often called “minimal”, resulting in a quick installation and only those components needed to run the system. Depending on the role, additional software then could be installed.

Do we still need them?

With vendors delivering better hardened system installations, one could argue that the need for hardening guides then dropped as well. Still, we think the need will remain for many more years to come. After all, a system without running software, is similar to a house where no one lives. It is possible, yet not really useful.

Hardening of software

While the operating system maybe be better hardened already, many software components are not. Usually they never will be hardened out-of-the-box as, they need to provide functionality. Secure by default is a nice thing, but most people rather prefer something to work than being secure.

So in other words, hardening guides will remain useful. The focus will be more on individual software components and less on the operating system. This is also the reason why our auditing tool Lynis does more than just auditing the operating system. It is the combination of a hardened base system, properly configured system components, focus on networking and more. Only if all chains are strong enough, then you can rely on using it for your precious operations.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon