Why Linux security hardening scripts might backfire
System administrators and engineers love to automate things. In the quest to get everything replaced by a script, automated hardening of systems is often requested. Unfortunately this automation might later backfire, resulting in a damaged trust in system hardening.
Why System Hardening?
The act of increasing system defenses is a good practice. It helps protecting your valuable data, so it can only be used by authorized people. System hardening itself consists of minimizing services and removing unneeded ones. This also applies to the access to the system, by reducing the amount of users, network access and protocols. Last but not least, changing software configurations to include the encryption of data and add additional authentication layers.
Hardening Scripts
More and more hardening solutions pop up, which promise to simplify hardening. Sure, system hardening is good, so is automation. But there is no “one fits all” solution when it comes to system hardening. Each system is different and needs a different level of protection. Your personal notebook might actually get a bad performance while browsing, if some network settings are adjusted by a Linux hardening script.
Alternatives
Normally I wouldn’t mind to name a few alternatives to our security auditing tool Lynis. In this case I feel strongly that promoting hardening scripts will actually weaken your security. You might end up taking a shortcut and end up with a false sense of security. Or worse..
Security risks
Some hardening scripts even download external files which they don’t control themselves. As hardening requires root permissions, this is definitely a serious risk. Automating your security controls is fine, but ensure you have 100% control over what is being automated. Another thing is properly testing, which might be hard if you don’t know what the tool is doing.
The Alternative = Auditing + Automation
Instead of just automatically hardening Linux systems with a script, use a combination of auditing together with a configuration management tool like Puppet. This way it is easy to detect what might be improved, while at the same time apply automation.
Tailored security
Sure, you might think that we would always advise to use an auditing tool, as we created one. But actually, it is free and open source. We honestly believe that measuring security and then acting on it appropriately, is the better way to deal with information security. Just running a hardening tool will definitely not give you the security level tailored to your needs, but it might give a false feeling of security.
Continuous security monitoring
When using the combination of auditing and automation, divide systems by category, customer, role or any custom attribute. Then give them the right security policy it deserves and finally measure again with the auditing tool.
This way of working is also often referred to as the PDCA cycle (plan, do, check, act), providing continuous auditing and monitoring.
By using the right combination of testing, researching, applying and testing again, you will enforce your security defenses more appropriately.
Know Your Hardening
Last but not least, we didn’t go into the importance of knowing what you harden and why. For example changing kernel settings, or installing a firewall, might need specific knowledge. What is the point of applying hardening when some settings are not even applicable? Or adding firewall rules, while the firewall itself is not even running?
Each security control requires some knowledge about the subject. That’s why we provided our tool, to first detect what might be improved, secondly providing the related background information. Then your expertise of your environment comes into play, where you can determine what controls are appropriate. A ready-to-use Linux hardening script will never beat that.
Happy hardening!