What is OS Hardening ?

• OS Hardening refers to the process of securing an operating system by minimizing its attack surface. This involves:

• Removing unnecessary services, packages, and dependencies to reduce potential security risks.
• Closing unused ports to prevent unauthorized access.
• Using minimal base images to limit vulnerabilities and reduce exposure.

I’ve created a basic OS Hardening checklist that covers essential security practices for Windows 11 and RHEL/Ubuntu systems.
For now, I’ve focused on implementing and testing the hardening steps specifically on Ubuntu.

The checklist includes practical steps I’ve performed, verified, and documented. You can find the detailed breakdown in the sections below:

📥 You can download the OS Hardening checklists in Excel format:

• 🐧 Linux OS Hardening Checklist
• 🪟 Windows OS Hardening Checklist

---

📚 Table of Contents

• Preparation and Installation 🛡️
  • Protecting a Newly Installed Machine from Network Threats
  • Set a BIOS/Firmware Password 🔒
  • Configure The Device Boot Order To Prevent Unauthorized Booting From Alternate Media
  • Disable USB Usage
  • Use the latest version of Ubuntu possible
  • Lock Physical Console Access
• Filesystem Configuration 📁
  • Create a separate partition with the nodev, nosuid, and noexec options set for /tmp
  • Create separate partitions for /var, /var/log, /var/log/audit, and /home
  • Bind mount /var/tmp to /tmp
  • Set nodev option to /home
  • Set nodev, nosuid, and noexec options on /dev/shm
  • Set sticky bit on all world-writable directories
  • Enable Hard/Soft Link Protection
  • Disable Uncommon Filesystems
  • Lock The Boot Directory
• System Updates 🛡️
  • Enable Unattended Security Updates on Ubuntu
  • Enable APT GPG Key Verification on Ubuntu
• Secure Boot Settings 🔒
  • Set User/Group Owner to Root, and Permissions to Read and Write for Root Only, on /boot/grub2/grub.cfg
  • Set Boot Loader Password
• Process Hardening ⚙️
  • Restrict Core Dumps
  • Enable Randomized Virtual Memory Region Placement
• OS Hardening
  • Remove Legacy Services
  • Remove xinetd/inetd if Not Needed⚙️
  • Disable or Remove Unused Services
  • Set Daemon Umask
• User Account Management 👤
  • Limit Administrator Privileges to only Necessary Accounts
  • Setting Up SUDO for User with Only Certain Delegated Privileges
  • Check User Home Directory is Accessible by other User or Not
  • Enforcing Strong Password Criteria
  • Check User Are Using Old Password As new Password or Not
  • Set Auto Logout for Inactive Users
  • Configure Account Lockout Policy 🔒
  • Configure Password Expiry Date
  • Configure Account Expiry Date Of Temporary Account 👤
  • Monitor and Remove Inactive Users
  • Disable Unused System Accounts
  • Restrict Use of Empty Passwords
• Network Security 🛡️
  • Restrict Service Access to Authorized Users via Firewalls & Controls
  • Disable IP forwarding
  • Disable Send Packet Redirects
  • Disable Source Routed Packet Acceptance
  • Disable ICMP Redirect Acceptance
  • Enable Ignore Broadcast Requests
  • Enable Bad Error Message Protection
  • Enable TCP/SYN Cookies
  • Close Unused Open Ports
  • Log Suspicious Packets (log_martians)
• Remote Access and Secure Communication 🤖
  • Secure SSH
  • Use VPNs for Secure Remote Access
• Logging and Monitoring ⚠️
  • Enable System Auditing
  • Enable Logging for Critical System Files
  • Monitor Login Failures
  • Implement ClamAV For Ubuntu
  • Scanning for Misconfigurations & Vulnerabilities
• Kernel Hardening
  • Enable and Configure SELinux
  • Disable IPv6 if Not Needed
  • Enable Address Space Layout Randomization (ASLR)
• Security Awareness and Training 👨🏻‍💻
  • Security Awareness Training
  • Incident Response Planning