SYSTEM HARDENING TOOLS AND TIPS
In the tug of war between attacker and defenders, defenders need to secure the complete attack surface. In general, the attack surface is comprised of all possible entry points for an attacker. While the defenders or your system administrators need to mitigate every single existing attack vector, the attackers need to find just one single unprotected vector.
Applications usually come with their default settings and these settings include things like default username /password, making for a default unsecure configuration. If an administrator does not change these configurations, criminals would be able to easily compromise the application. By implementing system hardening, one can improve the effectiveness of protection & detection mechanism in multifold. The old saying, prevention is better than cure is not only applicable to humans but also on the systems.
Hardened operating system is an operating system which has been configured or designed specifically to minimize the potential for compromise or attack.
GOALS OF HARDENING
FOR PREVENTION
1. Decrease attack surface: This will make it difficult for an attacker to attack the system
2. Decrease available privileges: This will contain the attacker’s ability to compromise the high privileged data
3. Decrease available components and information: This will decrease the available software functions for an attacker, as well as making it more cumbersome for an attacker to traverse further into the system. Ideally, attackers are completely put on hold.
For example, if a system is supposed to host only a web server, by hardening, you will close all the other services that would be running by default on your OS, like Network sharing, FTP, etc., and it will reduce the risk of attacks related to these service. Similarly, making sure that the web server does not run with administrative/root privilege, we can further eliminate the risk of complete system compromise in case of a successful attack on the web server.
FOR DETECTION
1. Increase the likelihood of detecting an attack on the system: If you know your system well enough in terms of required components, implementing the hardening which you will get by product. Knowledge about your system’s normal behavior helps you to detect any anomaly.
For example, this will include knowledge about the web server configuration file which does not change or which network service is commonly used on a host. This knowledge is a perfect baseline and will help in detecting attacks in the sense of security monitoring. On a hardened system, you increase the likelihood of successful detection of the attack significantly in comparison to an unhardened system. As you analyze the system & its attack surface well enough through your hardening process, you can spot and understand any anomaly much better.
2. Improve future security posture: By providing a baseline of a machine that is considered hardened, for example, disabling the unneeded port by default or having only required services run on an as needed basis, this require to avoid the repeat on each system what process to set it on . On a hardened system, it is possible to identify the last weak spot which is currently abused by the attacker and to improve the future security posture.
If we know which configuration files of the web server should not change and only services like HTTP, DNS and DHCP are supposed to run on a system, we can easily identify any new service that has been installed or run by the malicious programs, which will lead to early detection of the compromise.
HARDENING COMPONENTS
Every attacker is hoping for a badly configured component or a component with the default configuration, so instead of just sticking to the default configuration, you should consider what configuration may be the best fit for your environment and security needs and act accordingly. Depending on the actual components, such as a web server, recommendations for a secure configuration may exist. Ideally the vendor of that component has put out some security configuration information or even a template already. You can find a lot of different sources on hardening for most of the well-known and widely used software components. A very good starting point maybe the best practice guide and benchmark from the Center of Internet Security (CIS).
CIS not only publishes a hardening guide but also predefined configurations that you can use with certain tools, other sources may be sector specific such as PCI-DSS, federal information security management act, FISMA and NIST 800 - 53 and others depending on the industry or sector in which you are operating. The key take away is to apply hardening not only onto a whole system but to consider hardening of the individual components as well.
HARDENING CONSIDERATION BEFORE IMPLEMENTING
Before starting with the hardening process itself, first of all you should think about the security goal that you want to reach with your hardening measures. Next you need to understand the functionality of your system, the state the system is in and the existing components, as well as the relations and dependencies between those components. After that, you will need to identify what exactly needs hardening and which measures to apply. Again, a well defined baseline can be your greatest ally to complete this task. The last step is to estimate the cost of certain measures and define consequences to implementing and not implementing those measures. If a defined measure is not suitable, you
may need to rethink your security level and reiterate the previous level.
HARDENING PROCESS
While undergoing hardening, a system may be required to be isolated from its current environment in order to implement a measure. This may lower the security of the system temporarily. This could happen if, for example, the firewall has to be turned off to install a new service on system. In the next step, you need to verify that the system is in a secure state, for example, free from malware. After the system is determined to be clean, it is advisable to create an inventory of all components. The next step will be the most crucial within the process, the actual deployment naming the application of hardening measures onto your system. Most of these measures include reconfiguration of a
component. It is highly advisable to check if your measures are affected and how the attack surface changed.
In the next step, we recommend generating a snapshot from the current hardening baseline and use it as a template for comparison and monitoring. If the system was isolated for hardening it is now time to return the system back to its intended environment and reuse the baseline as a template for hardening for other similar systems. Note that this process is meant as a rough guide and taking into account the most critical steps you may need to adapt it to your own needs.
Defense in depth is an approach to increase security by not relying on a single protective mechanism by applying multiple layers of defense. There is a correlation between the layers within the defense-in-depth principle and impact of the hardening process on different layers.
Data: At the innermost (data) layer, many steps of the process apply. First we have to take a valid state of the data or we can assure that the data is not corrupted. Next we create an inventory of our data to know where which data is stored and which permissions apply to it. Then we need to check the attack surface, for example, by reviewing the access permissions.
Application: Moving up towards the next layer is the application layer which includes nearly the same steps as the data layer except for the last step. We create a baseline and a template based on the installed and now securely configured applications. This can be done, for example, by exporting the application configuration. On this layer, creating an inventory includes information about the software, like version and vendor and other characteristics, and examples of software that updates automatically.
Host: Next layer is the Host layer which includes similar steps but again different measures in comparison to the lower layers. Creating an inventory for the host includes information about the install operating system, which hardware is in place and what the current state of system configuration is. Mechanisms for creating a template for host can range from creating a copy of the host by creating a virtual machine based on the host to using specialized tools for the template task.
Network and Perimeter: In the two uppermost layers of the network layer are measures like isolating the system from the network with a firewall. The perimeter layer even goes a step further with measures such as being physically isolated from other systems; again, different types of network access control.
General Sector: It includes generic guidance that is not specific for a platform and thereby contains abstract measures as well as very sector-specific guidance. E.g. NIST 800-123 or NIST 800-53 and sector specific compliance guideline e.g. PCI-DSS, FISMA. This is great as a starting point to get a feeling for what type of measurements should be in place.
Cloud: Here you would be well advised to look for vendor-specific hardening guidelines tied to the cloud platform.
Operating Systems: At this point, we would like to introduce some well-known security configuration guidelines.The most significant and up-to-date guide for the operating systems is from the Center of Internet Security. Other vendor independent sources are, for example, those coming from governments like the Defense Information Systems Agency with their Security Technical Implementation Guide, also known as STIGS. If you are using Windows, the system configuration guides, as well as the official Microsoft Windows system guide will help you to harden a Windows system. Linux specific hardening guides for major distributions and some secure configuration guidelines are available as well.
Applications: As we move to the application, we can refer to the CIS guide & vendor’s specific hardening guides, for example, web server, databases or other applications.
Besides CIS & the vendor, it is advisable to take a look at the availability of the best practices from third parties.
CIS configuration tool (CIS-CAT) is a generic and mostly platform-independent tool for configuration assessment. It can verify the system configuration against the newest benchmark available for your platform. The application is written in Java. It is being fed with a template file and can therefore also be used for hardening check on a large scale.
You can download it from https://learn.cisecurity.org/cis-cat-landing-page
In addition to CIS-CAT, there is also a huge variety of commercial security auditing tools available which include checks of hardening measures and do vulnerability scanning. These kinds of tools are used to assess the state of a system from the network according to certain standards for configuration, such as the ones from CIS, and can also check against user defined templates. However, only a small part of these security audit tools are available for free.
MBSA can be used with a Windows operating system family. It comes with the ability to check that all available updates are installed and can also detect the most common Windows misconfigurations, such as guest accounts to Microsoft Baseline security analyzer. It also include checks for a lot of Microsoft applications. It can be run remotely to analyze multiple systems and also has a command line interface. Generated HTML reports can't help you with automating your monitoring.
You need to download it from the Microsoft homepage
(https://www.microsoft.com/en-ca/download/details.aspx?id=7558). When you open it, the first screen will give you the choice between scanning a single machine, scanning multiple machines or reviewing an already existing report which shows the first option and will scan the local system.
On the next screen, you can set the parameters of the report by specifying the system name or IP address, the report name and what should be scanned.
After selecting what should be scanned, we start the scan process. It may take a while to conclude but after the scan finishes you can see a report with all the details. The header consists of the parameters of the scan followed by the results which show information about the test. You can view more detailed information for every result in the report.
WINDOWS APPLOCKER
Applocker is an application control solution for Microsoft Windows available in several Windows versions. It is turned off by default. The configuration of Windows Applocker can be done either through snap-in on the Microsoft Management console, through module in PowerShell or Windows Group Policy. The second method allows management of Applocker policies on a large range of clients within a Windows domain. The rule sets for Windows Applocker can be separated in five different default categories and each applies to a certain type of application. For example, dll rules handles files with .dll extension or .ocx file type and script rules manage certain scripting files.
Asides from the general rules, it can generate rules for applications automatically. These rules should be reviewed and tested before being deployed in the production system. We can define two different behaviors for the rules; either you can enforce a lockdown or you can just log the violation and use the information for monitoring. Here is the example on how to block a script executing in your home directory. This is a common behavior exhibited by some malware.
To configure it by using the local security policy snap-in under application control policies, we find the Applocker entry and in the first section, we see a description of the service and some helpful information. If we scroll down, we find the settings to configure the enforcement of rules to block the bat file from running.
We can create a new script with a right click.
Then we can set the action to deny and select a user to whom we want to apply the rule.
Now we need to select how to block a file; we choose path. You have the option to add exceptions to your rule. Here we can see that a new rule was added to configure the rule enforcement tree.
We can test the rule by clicking on the script. No command window or error message should be open. If we try to execute the script for command line, we can see that it is blocked by group policy.
For more detailed information about what was blocked, we need to take a look into the system event. By using the event viewer, you will navigate to the Applocker entry and click on script where you can see the monitored event about the script execution.
ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)
To be able to harden third-party applications running on Windows, even when no source code is available, Microsoft developed the enhanced mitigation experience toolkit (EMET). This actively applies countermeasures for common exploitation against application binaries during runtime. Imagine having an older version of a web server binary that needs to be in place for compatibility reasons. You would be able to harden such a dangerous element. You can use EMET to harden nearly every Windows application during runtime. However, it cannot only block the exploitation attempt but also limit the actual impact they can have. There are many mitigations built into EMET which can be activated on a per application basis. To run EMET, you only need a Windows installation and the dot Net Framework 4.0. This could be integrated into domain GPO to also make a large deployment feasible. Initial compatibility testing is required, as some legacy applications may not run with some mitigations.
It is completely free. There are more free tools from Microsoft to improve system hardening, for example, Bitlocker which encrypts hard drives and increases the physical security systems. Finally, Device guard has been introduced with Windows 10 and hardens the integrity of the system by using a combination of hardware features, such as trusted platform module, and software features, like code signing. Incorporating some OS tools can increase the protection of Windows platforms against different types of attackers.
It is an implementation of the NIST SCAP Standard, which means Security Content Automation Protocol. This is a standardized way to define system audit policies, among other things. The policies created for the tool can be used for a whole platform or for single application. With this, along with auditing your platforms, you can also apply measures automatically. You can find the good SCAP files or secure configuration guide from the National Check List Program Repository. This is the U.S. Government repository of publicly available security checks and provides for the configuration of operating systems and applications.
It can be downloaded from https://www.open-scap.org/tools/openscap-base/
Improve system security using simple hardening principles and measures
Applications usually come with their default settings and these settings include things like default username /password, making for a default unsecure configuration. If an administrator does not change these configurations, criminals would be able to easily compromise the application. By implementing system hardening, one can improve the effectiveness of protection & detection mechanism in multifold. The old saying, prevention is better than cure is not only applicable to humans but also on the systems.
What you will learn:
What is System hardening
Hardening Process
Resources available for hardening
Windows tools to implement the hardening
Linux tools to implement the hardening
What you should know:
Basic knowledge of Linux & Windows
Knowledge about systems administration
SYSTEM HARDENING DEFINITION
Hardening: As per NIST 800-53, hardening is configuring a host operating system and application to reduce the host security weaknesses.Hardened operating system is an operating system which has been configured or designed specifically to minimize the potential for compromise or attack.
GOALS OF HARDENING
FOR PREVENTION
1. Decrease attack surface: This will make it difficult for an attacker to attack the system
2. Decrease available privileges: This will contain the attacker’s ability to compromise the high privileged data
3. Decrease available components and information: This will decrease the available software functions for an attacker, as well as making it more cumbersome for an attacker to traverse further into the system. Ideally, attackers are completely put on hold.
For example, if a system is supposed to host only a web server, by hardening, you will close all the other services that would be running by default on your OS, like Network sharing, FTP, etc., and it will reduce the risk of attacks related to these service. Similarly, making sure that the web server does not run with administrative/root privilege, we can further eliminate the risk of complete system compromise in case of a successful attack on the web server.
FOR DETECTION
1. Increase the likelihood of detecting an attack on the system: If you know your system well enough in terms of required components, implementing the hardening which you will get by product. Knowledge about your system’s normal behavior helps you to detect any anomaly.
For example, this will include knowledge about the web server configuration file which does not change or which network service is commonly used on a host. This knowledge is a perfect baseline and will help in detecting attacks in the sense of security monitoring. On a hardened system, you increase the likelihood of successful detection of the attack significantly in comparison to an unhardened system. As you analyze the system & its attack surface well enough through your hardening process, you can spot and understand any anomaly much better.
2. Improve future security posture: By providing a baseline of a machine that is considered hardened, for example, disabling the unneeded port by default or having only required services run on an as needed basis, this require to avoid the repeat on each system what process to set it on . On a hardened system, it is possible to identify the last weak spot which is currently abused by the attacker and to improve the future security posture.
If we know which configuration files of the web server should not change and only services like HTTP, DNS and DHCP are supposed to run on a system, we can easily identify any new service that has been installed or run by the malicious programs, which will lead to early detection of the compromise.
GUIDANCE FOR IMPLEMENTING HARDENING
Every attacker is hoping for a badly configured component or a component with the default configuration, so instead of just sticking to the default configuration, you should consider what configuration may be the best fit for your environment and security needs and act accordingly. Depending on the actual components, such as a web server, recommendations for a secure configuration may exist. Ideally the vendor of that component has put out some security configuration information or even a template already. You can find a lot of different sources on hardening for most of the well-known and widely used software components. A very good starting point maybe the best practice guide and benchmark from the Center of Internet Security (CIS).
CIS not only publishes a hardening guide but also predefined configurations that you can use with certain tools, other sources may be sector specific such as PCI-DSS, federal information security management act, FISMA and NIST 800 - 53 and others depending on the industry or sector in which you are operating. The key take away is to apply hardening not only onto a whole system but to consider hardening of the individual components as well.
HARDENING CONSIDERATION BEFORE IMPLEMENTING
Before starting with the hardening process itself, first of all you should think about the security goal that you want to reach with your hardening measures. Next you need to understand the functionality of your system, the state the system is in and the existing components, as well as the relations and dependencies between those components. After that, you will need to identify what exactly needs hardening and which measures to apply. Again, a well defined baseline can be your greatest ally to complete this task. The last step is to estimate the cost of certain measures and define consequences to implementing and not implementing those measures. If a defined measure is not suitable, you
may need to rethink your security level and reiterate the previous level.
HARDENING PROCESS
While undergoing hardening, a system may be required to be isolated from its current environment in order to implement a measure. This may lower the security of the system temporarily. This could happen if, for example, the firewall has to be turned off to install a new service on system. In the next step, you need to verify that the system is in a secure state, for example, free from malware. After the system is determined to be clean, it is advisable to create an inventory of all components. The next step will be the most crucial within the process, the actual deployment naming the application of hardening measures onto your system. Most of these measures include reconfiguration of a
component. It is highly advisable to check if your measures are affected and how the attack surface changed.
In the next step, we recommend generating a snapshot from the current hardening baseline and use it as a template for comparison and monitoring. If the system was isolated for hardening it is now time to return the system back to its intended environment and reuse the baseline as a template for hardening for other similar systems. Note that this process is meant as a rough guide and taking into account the most critical steps you may need to adapt it to your own needs.
Defense in depth is an approach to increase security by not relying on a single protective mechanism by applying multiple layers of defense. There is a correlation between the layers within the defense-in-depth principle and impact of the hardening process on different layers.
Data: At the innermost (data) layer, many steps of the process apply. First we have to take a valid state of the data or we can assure that the data is not corrupted. Next we create an inventory of our data to know where which data is stored and which permissions apply to it. Then we need to check the attack surface, for example, by reviewing the access permissions.
Application: Moving up towards the next layer is the application layer which includes nearly the same steps as the data layer except for the last step. We create a baseline and a template based on the installed and now securely configured applications. This can be done, for example, by exporting the application configuration. On this layer, creating an inventory includes information about the software, like version and vendor and other characteristics, and examples of software that updates automatically.
Host: Next layer is the Host layer which includes similar steps but again different measures in comparison to the lower layers. Creating an inventory for the host includes information about the install operating system, which hardware is in place and what the current state of system configuration is. Mechanisms for creating a template for host can range from creating a copy of the host by creating a virtual machine based on the host to using specialized tools for the template task.
Network and Perimeter: In the two uppermost layers of the network layer are measures like isolating the system from the network with a firewall. The perimeter layer even goes a step further with measures such as being physically isolated from other systems; again, different types of network access control.
HARDENING GUIDES AND TOOLS
In this section, we will discuss some of the tools and guide you with ways you can use to harden your system. In order to give you some practical takeaways, we will take a closer look at resources and generic tools not tied to a specific platform but also tools specifically available for Windows and Linux. Let's start off with an overview map of the hardening guidelines out there or you can get additional specific guidance for different platform.
Cloud: Here you would be well advised to look for vendor-specific hardening guidelines tied to the cloud platform.
Operating Systems: At this point, we would like to introduce some well-known security configuration guidelines.The most significant and up-to-date guide for the operating systems is from the Center of Internet Security. Other vendor independent sources are, for example, those coming from governments like the Defense Information Systems Agency with their Security Technical Implementation Guide, also known as STIGS. If you are using Windows, the system configuration guides, as well as the official Microsoft Windows system guide will help you to harden a Windows system. Linux specific hardening guides for major distributions and some secure configuration guidelines are available as well.
Applications: As we move to the application, we can refer to the CIS guide & vendor’s specific hardening guides, for example, web server, databases or other applications.
Besides CIS & the vendor, it is advisable to take a look at the availability of the best practices from third parties.
GENERAL TOOL
CIS-CATCIS configuration tool (CIS-CAT) is a generic and mostly platform-independent tool for configuration assessment. It can verify the system configuration against the newest benchmark available for your platform. The application is written in Java. It is being fed with a template file and can therefore also be used for hardening check on a large scale.
You can download it from https://learn.cisecurity.org/cis-cat-landing-page
In addition to CIS-CAT, there is also a huge variety of commercial security auditing tools available which include checks of hardening measures and do vulnerability scanning. These kinds of tools are used to assess the state of a system from the network according to certain standards for configuration, such as the ones from CIS, and can also check against user defined templates. However, only a small part of these security audit tools are available for free.
TOOLS FOR WINDOWS
MICROSOFT BASELINE SECURITY ANALYZER (MBSA)MBSA can be used with a Windows operating system family. It comes with the ability to check that all available updates are installed and can also detect the most common Windows misconfigurations, such as guest accounts to Microsoft Baseline security analyzer. It also include checks for a lot of Microsoft applications. It can be run remotely to analyze multiple systems and also has a command line interface. Generated HTML reports can't help you with automating your monitoring.
You need to download it from the Microsoft homepage
(https://www.microsoft.com/en-ca/download/details.aspx?id=7558). When you open it, the first screen will give you the choice between scanning a single machine, scanning multiple machines or reviewing an already existing report which shows the first option and will scan the local system.
On the next screen, you can set the parameters of the report by specifying the system name or IP address, the report name and what should be scanned.
After selecting what should be scanned, we start the scan process. It may take a while to conclude but after the scan finishes you can see a report with all the details. The header consists of the parameters of the scan followed by the results which show information about the test. You can view more detailed information for every result in the report.
WINDOWS APPLOCKER
Applocker is an application control solution for Microsoft Windows available in several Windows versions. It is turned off by default. The configuration of Windows Applocker can be done either through snap-in on the Microsoft Management console, through module in PowerShell or Windows Group Policy. The second method allows management of Applocker policies on a large range of clients within a Windows domain. The rule sets for Windows Applocker can be separated in five different default categories and each applies to a certain type of application. For example, dll rules handles files with .dll extension or .ocx file type and script rules manage certain scripting files.
Asides from the general rules, it can generate rules for applications automatically. These rules should be reviewed and tested before being deployed in the production system. We can define two different behaviors for the rules; either you can enforce a lockdown or you can just log the violation and use the information for monitoring. Here is the example on how to block a script executing in your home directory. This is a common behavior exhibited by some malware.
To configure it by using the local security policy snap-in under application control policies, we find the Applocker entry and in the first section, we see a description of the service and some helpful information. If we scroll down, we find the settings to configure the enforcement of rules to block the bat file from running.
We can create a new script with a right click.
Then we can set the action to deny and select a user to whom we want to apply the rule.
Now we need to select how to block a file; we choose path. You have the option to add exceptions to your rule. Here we can see that a new rule was added to configure the rule enforcement tree.
We can test the rule by clicking on the script. No command window or error message should be open. If we try to execute the script for command line, we can see that it is blocked by group policy.
For more detailed information about what was blocked, we need to take a look into the system event. By using the event viewer, you will navigate to the Applocker entry and click on script where you can see the monitored event about the script execution.
ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)
To be able to harden third-party applications running on Windows, even when no source code is available, Microsoft developed the enhanced mitigation experience toolkit (EMET). This actively applies countermeasures for common exploitation against application binaries during runtime. Imagine having an older version of a web server binary that needs to be in place for compatibility reasons. You would be able to harden such a dangerous element. You can use EMET to harden nearly every Windows application during runtime. However, it cannot only block the exploitation attempt but also limit the actual impact they can have. There are many mitigations built into EMET which can be activated on a per application basis. To run EMET, you only need a Windows installation and the dot Net Framework 4.0. This could be integrated into domain GPO to also make a large deployment feasible. Initial compatibility testing is required, as some legacy applications may not run with some mitigations.
It is completely free. There are more free tools from Microsoft to improve system hardening, for example, Bitlocker which encrypts hard drives and increases the physical security systems. Finally, Device guard has been introduced with Windows 10 and hardens the integrity of the system by using a combination of hardware features, such as trusted platform module, and software features, like code signing. Incorporating some OS tools can increase the protection of Windows platforms against different types of attackers.
TOOLS FOR LINUX
OPENSCAPIt is an implementation of the NIST SCAP Standard, which means Security Content Automation Protocol. This is a standardized way to define system audit policies, among other things. The policies created for the tool can be used for a whole platform or for single application. With this, along with auditing your platforms, you can also apply measures automatically. You can find the good SCAP files or secure configuration guide from the National Check List Program Repository. This is the U.S. Government repository of publicly available security checks and provides for the configuration of operating systems and applications.
It can be downloaded from https://www.open-scap.org/tools/openscap-base/
We can run a PCI-DSS compliance test with OPENSCAP for RHEL7 system with a number of parameters. The first option specifies the xccdf format as source format. With the next parameter, we said we want to do an evaluation, by the next we give an output file for the report and the second to last option selects the profile from the xccdf document. The last option is the xccdf file itself where all policies and profiles for checking are defined. You can get to know more about other available parameters for running a scan by referring to the corresponding manual.
With the above command, you can generate an HTML report. The header includes the text about the scan policy, parameters and other interesting information.
The report contains information about compliance to SCAP security benchmark and achieved score in the test results and the results of every test. The results show how many rules were successful, how many failed and how many didn't execute as expected.
The report additionally shows the impact of the failed rules, categorized with low, medium and high severity, and the score at the end of this section in the report indicates the compliance state of the system against the policy.
The main part of the results includes the detailed results of every test, test description and information about how the test was done and how to mitigate your configuration if the test failed.
LYNIS
It is a tool for Linux and other Unix-like systems that checks a host for common hardening measures and gives feedback about their status. A hardening index will be created which sums up the hardening state in a single score. The test and policies are written by CISOFY and are updated regularly. These tests can be run by a command line interface and SISOFY offers a commercial pass version. It also can be extended with plugins.
To download go to https://cisofy.com/download/lynis/
The following command will run all tests against our system and doesn't stop asking questions.
$ lynis audit system –Q
Now the tool conducts the system checks. You can see the tests that are being run and the status of the tests. It also writes to the log file for further usage.
After Lynis has collected all results, you can see a short summary of this, which consists of the hardening index score, the location of log files and some general info. Now it's up to you to decide whether you are satisfied with that benchmark or want to improve the hardening posture.
SUMMARY
The main goal of hardening is to reduce the attack surface & privileges in case of a successful attack. It can help the early detection of attacks. Hence hardening has to be the core of your security strategy. While implementing hardening, keep in mind the end user requirement as it may impact the user’s work ability. Hardening has an impact in defense in depth layers as each layer will require similar steps but different measures. There are many tools and guidance available to implement hardening for your specific environment and sector. These tools provide the ability to create the baseline and automate the hardening process. Most of the tools are free and can easily be incorporated in
your SDLC.