Skip to content

Linux Hardening

← Back to all decks

11 cards — 🟢 3 easy | 🟡 5 medium | 🔴 3 hard

🟢 Easy (3)

1. What are the three SELinux modes, and how do you check the current mode?

Show answer Enforcing (policies enforced, violations blocked and logged), Permissive (policies not enforced, violations logged only), Disabled (SELinux completely off). Check with getenforce (quick) or sestatus (detailed). Use setenforce 0/1 to toggle temporarily; edit /etc/selinux/config for persistence.

2. Name five SSH hardening settings you should configure in /etc/ssh/sshd_config.

Show answer PermitRootLogin no, PasswordAuthentication no (use keys only), MaxAuthTries 3, X11Forwarding no, and AllowUsers . Additional settings: ClientAliveInterval 300, ClientAliveCountMax 2, LogLevel VERBOSE. Always restrict ciphers and MACs to strong algorithms.

3. How do you find SUID and SGID binaries on a system, and why should you audit them?

Show answer find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null. SUID binaries run with the file owner's privileges (often root), making them privilege escalation vectors. SGID binaries run with the group's privileges. Audit them regularly and remove unnecessary SUID bits with chmod u-s.

🟡 Medium (5)

1. What are CIS Benchmarks, and what categories do they cover for Linux hardening?

Show answer CIS (Center for Internet Security) Benchmarks are the gold standard for compliance auditing. Categories include: filesystem configuration, software updates, filesystem integrity (AIDE), boot settings, process hardening (ASLR, core dumps), mandatory access control (SELinux), network configuration, firewall, logging/auditing, PAM/password policies, SSH configuration, and user accounts.

2. How do you configure PAM to enforce password complexity and lock accounts after failed login attempts?

Show answer Password complexity: use pam_pwquality.so with options like minlen=14, dcredit=-1, ucredit=-1, ocredit=-1, lcredit=-1. Account lockout: use pam_faillock.so with deny=5 and unlock_time=900 (lock for 15 minutes after 5 failures). Restrict su to wheel group with pam_wheel.so use_uid in /etc/pam.d/su.

3. Name five important sysctl settings for Linux hardening and explain what they do.

Show answer kernel.randomize_va_space=2 (enable ASLR), net.ipv4.tcp_syncookies=1 (SYN flood protection), net.ipv4.conf.all.accept_redirects=0 (disable ICMP redirects), kernel.dmesg_restrict=1 (restrict dmesg to root), kernel.yama.ptrace_scope=1 (restrict process tracing). Persist in /etc/sysctl.d/99-hardening.conf and apply with sysctl -p.

4. An application cannot read files in its data directory due to SELinux. How do you diagnose and fix this?

Show answer 1) Check for denials: ausearch -m avc -ts recent. 2) Inspect file contexts: ls -Z on the directory. 3) If wrong context, fix with: semanage fcontext -a -t "/path/to/data(/.*)?" then restorecon -Rv /path/to/data/. 4) Check booleans: getsebool -a | grep . 5) If a boolean fix exists, use setsebool -P on.

5. How do you configure auditd to monitor changes to critical system files?

Show answer Add watch rules to /etc/audit/rules.d/hardening.rules. Examples: -w /etc/passwd -p wa -k identity (watch passwd for writes/attribute changes), -w /etc/shadow -p wa -k identity, -w /etc/sudoers -p wa -k actions, -w /etc/ssh/sshd_config -p wa -k sshd. The -k flag sets a key for searching. Make config immutable with -e 2 (requires reboot to change).

🔴 Hard (3)

1. Explain the SELinux context format and how type enforcement works in targeted policy.

Show answer Context format: user:role:type:level. In targeted policy, the type field matters most. Processes have types (e.g., httpd_t) and files have types (e.g., httpd_sys_content_t). Policy rules define which process types can access which file types. For example, httpd_t can read httpd_sys_content_t but not other types, confining Apache even if it is compromised.

2. How do you create a custom SELinux policy module to allow a specific denied action?

Show answer 1) Find the denial: ausearch -m avc -ts recent. 2) Generate a policy module: ausearch -m avc -ts recent | audit2allow -M mypolicy. 3) Review the generated policy: cat mypolicy.te (verify it is not overly permissive). 4) Install the module: semodule -i mypolicy.pp. Always review before applying -- audit2allow can generate overly broad policies that weaken security.

3. What are the most common Linux hardening mistakes that undermine security?

Show answer Disabling SELinux instead of fixing the policy. Not persisting changes (setenforce 1 and sysctl -w do not survive reboot). Leaving default SSH keys. Blindly applying CIS benchmarks without understanding the workload. Auditing every syscall (fills disk, degrades performance). Building hardened AMIs that drift without re-hardening. Not testing changes in staging first.