The Linux Hardening Checklist is an open-source resource designed to help administrators secure GNU/Linux production systems by reducing their attack surface and eliminating potential vulnerability vectors.

The main features and functionalities of this guide include:

1. Categorized Security Rules

The tool organizes hardening tasks into critical system areas to ensure a comprehensive security posture:

• Partitioning & Storage: Instructions for using separate partitions (e.g., /boot, /home, /var/log) and restricting mount options such as nodev, nosuid, and noexec.

• Kernel Hardening: Methods to restrict access to kernel logs and pointers, enable ExecShield, and implement memory space randomization.

• User & Access Management: Guidelines for enforcing strong PAM password policies, setting auto-logout for inactive users, and locking accounts after failed login attempts.

• Network Security: Rules for enabling TCP SYN Cookie protection and disabling dangerous protocols like IP source routing and ICMP redirects.

• System Integrity: Protections for bootloader configuration files and the enforcement of SELinux in "Enforcing" mode.

2. Priority-Based Implementation

To help administrators manage their workflow, the checklist uses a three-level priority system:

• Low (*): Important but non-critical items.

• Medium ():** Significant items that should not be avoided.

• High ():* Mandatory rules that must be followed and implemented to ensure basic security.

3. Technical Documentation & Examples

• Actionable Commands: Every rule includes specific command-line examples or configuration file edits (e.g., sysctl configurations or fstab entries) to facilitate direct implementation.

• OpenSCAP Compatibility: The list is designed to be compatible with the Security Content Automation Protocol (SCAP) standard, allowing it to work alongside automated auditing tools like OpenSCAP or Nessus.

• Progress Tracking: Each section concludes with a summary checklist (checkboxes) so users can visually track their deployment status across the system.