22%
of Linux servers in enterprise environments meet CIS Level 1 baseline without remediation
68%
of Linux server breaches exploit default or unchanged configuration settings
4x
longer median time to detect intrusion on unhardened Linux vs. hardened systems with auditd
41%
of enterprises use configuration management (Ansible, Puppet, Chef) for security baseline enforcement

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Linux server hardening has no equivalent to Windows Group Policy. There is no centralized console to push 250 security settings to 400 servers simultaneously. On Linux, hardening is a configuration management problem: the settings exist in dozens of configuration files across the filesystem, they vary between RHEL/CentOS and Ubuntu/Debian distributions, and applying them without breaking production services requires knowing which controls are safe to apply universally and which ones have service-specific interactions that need exceptions. The CIS Linux benchmarks are the most widely accepted starting point for Linux hardening, providing scored controls with rationale and remediation instructions. The practical challenge is that applying all 250 CIS Level 1 controls to a production server without testing will break things. Not dramatically, and often not immediately, but predictably. This guide covers the control categories most worth implementing first, the controls that break web servers and databases in specific predictable ways, the auditd configuration that provides detection capability rather than just hardening, and the Ansible structure that makes consistent enforcement across hundreds of servers operationally feasible.

Why Linux Hardening is Different from Windows

Windows servers in a domain environment receive security configuration through Group Policy Objects (GPOs) pushed from domain controllers. An administrator defines a policy once and it applies to thousands of servers. Compliance is measured by RSOP (Resultant Set of Policy) reports. Linux has no equivalent. There is no native equivalent to GPOs, no native remote policy enforcement mechanism, and no central compliance reporting console built into the OS. Every security setting is a configuration file edit, a sysctl parameter, a service enablement or disablement, or a PAM module configuration. There is also significant heterogeneity across Linux distributions. The CIS benchmark for RHEL 9 has different specific instructions than the benchmark for Ubuntu 22.04. Filesystem paths differ, package names differ, service management commands differ, and PAM module configurations differ. Organizations running both RHEL-family and Debian-family distributions need separate hardening procedures and separate Ansible roles for each distribution family. The root account is also a structural difference. On Linux, root always exists. It cannot be disabled the way the Windows built-in Administrator account can be disabled. Root access protection requires controlling the paths to root: disabling direct root SSH login, requiring sudo for privilege escalation, auditing sudo usage, and restricting which users can use sudo. These controls are well-defined in the CIS benchmark but require correct implementation of SSH configuration, sudoers configuration, and PAM.

CIS Level 1 vs. Level 2: What the Distinction Means in Practice

The CIS Benchmark divides controls into Level 1 and Level 2. Level 1 controls are defined as controls that are reasonable for almost any production system, that do not significantly impact system functionality, and that provide measurable risk reduction. Level 2 controls are appropriate for high-security environments and may have more significant functional impacts or require more careful evaluation before implementation. The Level 1 / Level 2 distinction is a starting point, not a hard rule for what to implement. Some Level 1 controls do break specific production workloads in predictable ways (covered in the next sections). Some Level 2 controls are safe for specific server types that do not run the services they affect. The most commonly cited Level 2 controls that organizations skip include mandatory access control requirements (SELinux enforcing mode on RHEL, AppArmor on Ubuntu) because many applications do not have SELinux policies written for them and enforcing mode causes denial errors in applications that violate default policies, controls that disable USB and removable media when the server infrastructure has no removable media concern, and controls that implement very restrictive umask values (0027 or 0077) that break applications that create files expected to be group-readable. For a pragmatic Level 1 implementation, start by applying all Level 1 controls in a test environment that mirrors production, run your application workloads against the hardened environment, identify which controls cause failures, document exceptions with business justification, and apply the remainder to production.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

High-Value Level 1 Controls to Enforce First

Not all Level 1 controls carry equal security value. Prioritize the controls that either close high-probability exploitation paths or provide detection capability that helps you detect breaches early. SSH hardening is the highest-priority control category because SSH is the primary remote management interface for Linux servers and is the most commonly exploited entry point. The critical SSH settings are PermitRootLogin no (prevents direct root access via SSH), PasswordAuthentication no (requires key-based auth, eliminating password brute force), and specifying allowed ciphers (aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com), MACs (hmac-sha2-256, hmac-sha2-512), and KexAlgorithms (ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256) to eliminate weak cryptographic options. Filesystem mount options provide a no-cost hardening improvement for /tmp, /dev/shm, and /var/tmp. The noexec option prevents execution of binaries from these directories, disrupting a common attacker post-exploitation technique of writing a malicious binary to /tmp and executing it. The nosuid option prevents SUID bit execution from these mounts. The nodev option prevents device files from being created. These options are specified in /etc/fstab and have minimal functional impact for legitimate production workloads. Core dump restrictions via /etc/security/limits.conf (hard core 0 and soft core 0) and kernel.core_pattern sysctl settings prevent core dumps that might contain sensitive data including encryption keys and credentials from memory. ASLR (Address Space Layout Randomization) via kernel.randomize_va_space = 2 is on by default in most distributions but should be explicitly verified as part of the hardening baseline.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Controls That Break Web and Application Servers

Several CIS Level 1 controls cause predictable failures in web server and application server environments. Understanding these ahead of time prevents production incidents during hardening rollouts. The umask controls are the most commonly problematic. CIS recommends a default umask of 027 (files created as 640, directories as 750), compared to the typical default of 022 (files 644, directories 755). Many web server frameworks and application servers create temporary files, socket files, and PID files that need to be group-readable or world-readable for proper operation. Apache and Nginx create log files that monitoring agents (running as different users) need to read. If the umask change causes those files to be created as 640 without the monitoring agent's user in the file's group, monitoring breaks. The PAM pam_faillock controls for account lockout can lock out service accounts that are used for automated processes. Service accounts that authenticate via PAM for non-interactive processes can accumulate failed authentication attempts from process failures and trigger lockout, blocking the service entirely. Scope pam_faillock to interactive PAM services (sshd, login) rather than all PAM services. The CIS requirement to disable IPv6 if not in use causes failures in any application or service that has hardcoded IPv6 socket bindings. Many modern applications, including Java applications with default socket bindings, Redis with default configuration, and some database listeners, attempt to bind to IPv6 addresses by default. Disabling IPv6 at the kernel level causes these bindings to fail, preventing service startup. Audit IPv6 usage before disabling.

Controls That Break Databases

Database servers have specific interactions with CIS hardening controls that differ from web server interactions. The shared memory controls are the most significant for database servers. PostgreSQL uses POSIX shared memory for its shared buffer pool. The CIS control to restrict kernel.shmmax and kernel.shmall can set shared memory limits below what PostgreSQL requires for its configured shared_buffers size. PostgreSQL will fail to start with an error indicating insufficient shared memory if shmmax is set below the configured shared_buffers value. The resolution is to calculate the required shared memory based on PostgreSQL's configuration (shared_buffers + overhead) and set kernel.shmmax accordingly, rather than using the CIS recommended minimum value. MySQL and MariaDB use different shared memory mechanisms but have similar interactions with IPC-related kernel parameters. For Oracle databases, the requirements for semaphore parameters (kernel.sem) are documented in Oracle's installation guide and must be met for Oracle to function; the CIS recommended values for these parameters are typically lower than Oracle requires. The transparent huge page disablement recommended by CIS for performance-sensitive systems is actually also recommended by database vendors including MongoDB, Redis, and Oracle for their workloads, making this a case where the CIS recommendation and database vendor recommendation align. The nosuid mount option for /var (recommended in some CIS profiles) can cause failures for database services that install SUID binaries in /var paths, which is unusual but occurs in some database installation layouts.

auditd: The Rules That Matter for Detection

auditd is the Linux audit subsystem that records security-relevant events to a tamper-evident log. A hardened server without auditd configured provides compliance improvements but limited detection capability. auditd with the right rule set turns the hardened server into a detection system. The audit rules that provide the most detection value are: privileged command execution (rules using -a always,exit -F arch=b64 -F euid=0 -S execve for all commands executed as root), file attribute changes (rules watching /etc/passwd, /etc/shadow, /etc/sudoers, and /etc/sudoers.d/ for attribute changes using -w with the wa permission flags), network socket creation (rules using -a always,exit -F arch=b64 -S socket for socket() system calls, filtered to network socket families), sudo configuration modifications (watches on /etc/sudoers and /etc/sudoers.d/), and authentication events (pam module calls, su, sudo, ssh logins). The NSA/CISA recommended auditd rule set and the STIG auditd rules provide starting points for rule configuration that meet regulatory audit requirements. The auditd log must be forwarded to a SIEM to be useful. A local auditd log that an attacker can clear is a minimal detection improvement. Configure audispd or auditd's audisp-syslog plugin to forward events to syslog, then configure rsyslog or journald forwarding to your SIEM. auditd event volume can be high; configure rate limiting and prioritize forwarding based on rule severity to avoid SIEM ingestion cost issues.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

SSH Hardening in Detail

SSH configuration is the most impactful single control in Linux server hardening because SSH is the primary attack surface for remote exploitation and the primary tool for legitimate administration. A complete SSH hardening configuration addresses cryptographic settings, authentication settings, session settings, and access restrictions. For cryptographic settings in /etc/ssh/sshd_config, specify Ciphers as aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com to remove weak ciphers (arcfour, blowfish, 3des). Specify MACs as hmac-sha2-256,hmac-sha2-512 to remove MD5-based and truncated MACs. Specify KexAlgorithms as ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256 to remove diffie-hellman-group1-sha1 (Logjam-vulnerable). For authentication settings, PermitRootLogin no prevents direct root access. PasswordAuthentication no requires key authentication. PubkeyAuthentication yes enables key authentication. AuthorizedKeysFile specifies the file location for authorized keys, which should be restricted to user home directories. MaxAuthTries 4 limits failed authentication attempts before disconnection. For session settings, ClientAliveInterval 300 and ClientAliveCountMax 3 configure a 15-minute idle session timeout with three keepalive probes. LoginGraceTime 60 limits the authentication window to 60 seconds after connection. For access restrictions, AllowUsers or AllowGroups restricts SSH access to specific users or groups; this is the most effective control for limiting the blast radius of credential compromise. Banner /etc/issue.net provides a legal warning banner required by some compliance frameworks.

syslog and rsyslog: Getting Linux Events to Your SIEM

Linux audit events are only useful for detection if they reach your SIEM. The default auditd configuration writes events to /var/log/audit/audit.log, which is a local file. Local files can be cleared by an attacker with root access, and they are not searchable across your fleet without a centralized log management system. The standard integration path is: auditd writes events to audisp (the audit dispatcher), audisp-syslog forwards events to syslog (rsyslog or syslog-ng), and rsyslog forwards to the SIEM using TCP syslog with TLS or directly to a SIEM agent. Configure the audisp-syslog plugin by editing /etc/audisp/plugins.d/syslog.conf with active = yes. For rsyslog forwarding, add an action to forward all local6 (or the syslog facility your SIEM uses) traffic to the SIEM server with TCP and optional TLS wrapping. The forwarding configuration should ensure that log events are buffered and retried if the SIEM is temporarily unreachable, preventing log loss during network interruptions. Beyond audit events, configure rsyslog to forward authentication logs (/var/log/secure on RHEL, /var/log/auth.log on Ubuntu), system logs (/var/log/messages or /var/log/syslog), and cron logs. Kernel security events including SELinux denials are written to the audit log by default when SELinux is in enforcing mode, providing visibility into access control violations from the OS.

Ansible Role Structure for CIS Hardening at Scale

Managing CIS hardening across hundreds of servers without configuration management is not sustainable. Ansible provides the most widely adopted approach for Linux hardening at scale, with several community CIS benchmark roles available as starting points (dev-sec/ansible-collection-hardening and the official CIS hardening roles). An effective Ansible CIS hardening role structure includes a main role for the core hardening controls with tasks organized by CIS section number, a variables file (defaults/main.yml) that exposes boolean flags for each control so that exceptions can be configured per host or host group, a handlers directory for service restarts triggered by configuration changes, a templates directory for configuration file templates (sshd_config.j2, auditd.rules.j2, limits.conf.j2), and a separate compliance reporting playbook that runs OpenSCAP or Lynis and uploads the report to a centralized location. The variable override pattern is critical for managing exceptions. Each control should have a corresponding boolean variable (e.g., cis_ssh_permit_root_login: false) with a safe default value. Host groups for web servers can override cis_restrict_umask: false, while host groups for database servers can override cis_shmmax_restrict: false. This allows the same role to be applied across all servers while accommodating the known exceptions without modifying the role itself. The compliance reporting playbook should run weekly or after any role application and store results in a central location accessible to the security team, providing ongoing visibility into compliance drift.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Validation: OpenSCAP, Lynis, and CIS-CAT

Applying hardening controls is only half the work. Validating that controls are correctly implemented, that they have not drifted from the baseline, and that exceptions are documented requires ongoing compliance scanning. OpenSCAP is the open-source implementation of the SCAP (Security Content Automation Protocol) standard. It consumes XCCDF profiles that define compliance requirements and produces detailed pass/fail reports for each control. For RHEL-family systems, SCAP Security Guide (SSG) packages ship pre-configured XCCDF profiles that correspond to CIS benchmarks and STIG profiles. The command oscap xccdf eval --profile cis_server_l1 --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml generates a compliance report against the CIS Level 1 profile. Lynis is an alternative security auditing tool that scans the running system and generates a hardening index score with specific findings and recommendations. Lynis is particularly useful for initial baseline assessment because it works across Linux distributions without requiring profile-specific configuration. Run lynis audit system to generate a report. The hardening index (a score from 0-100) provides a high-level compliance metric that improves as hardening is applied. CIS-CAT Pro is the commercial tool from the Center for Internet Security that provides assessment against CIS Benchmarks and produces reports in machine-readable formats suitable for integration with GRC platforms. CIS-CAT Lite, the free version, supports a subset of benchmarks. The most important operational use of these tools is not the initial assessment but drift detection: running scans on a schedule and alerting when the compliance score drops below a threshold, indicating that configuration changes have reversed hardening controls.

The bottom line

Linux server hardening at scale is an Ansible problem more than it is a security knowledge problem. The CIS benchmarks define what to implement; the operational challenge is implementing it consistently across hundreds of servers with different workloads and maintaining that consistency as configurations drift over time. The practical sequence is: enumerate the server fleet and classify by workload type (web server, database, application server, management server), apply high-value universal controls (SSH hardening, filesystem mount options, auditd) across all types first, then work through the workload-specific controls with the known exceptions for databases and web servers documented as Ansible variable overrides, and finally implement ongoing compliance scanning via OpenSCAP or Lynis to detect drift. auditd configuration deserves specific emphasis: a hardened server without auditd forwarding to a SIEM provides hardening but not detection. Both are necessary for a complete security posture.

Frequently asked questions

What is the difference between CIS Level 1 and Level 2 for Linux servers?

CIS Level 1 controls are intended to be applicable to any production server without significantly impacting functionality. They cover the most critical hardening controls (SSH, filesystems, kernel parameters, logging) and should be applied to all servers as a baseline. Level 2 controls are appropriate for high-security environments and include controls like mandatory access control (SELinux enforcing mode), additional audit rules, and more restrictive mount options that may require application-specific testing and exceptions. For most production environments, Level 1 full compliance is the target, with Level 2 applied to the highest-sensitivity systems after workload-specific testing.

Which CIS controls break PostgreSQL and MySQL databases?

The shared memory controls (kernel.shmmax, kernel.shmall) are the most common database-breaking CIS controls. PostgreSQL requires shared memory allocation matching its shared_buffers configuration (e.g., 8GB of shared_buffers requires at least 8GB of shmmax). Setting shmmax to the CIS minimum will prevent PostgreSQL from starting. For MySQL and MariaDB, IPC semaphore parameters (kernel.sem) set to CIS minimums can also cause issues. The fix is to calculate the required values from your database configuration and use those as Ansible variable overrides in your hardening role rather than the CIS recommended minimums.

How do I set up auditd to detect privilege escalation on Linux servers?

Create audit rules that watch for the specific actions associated with privilege escalation: modifications to /etc/sudoers and /etc/sudoers.d/ (rule: -w /etc/sudoers -p wa), changes to /etc/passwd and /etc/shadow (-w /etc/passwd -p wa), all commands executed as root (-a always,exit -F arch=b64 -F euid=0 -S execve), and use of su and sudo commands (-w /usr/bin/sudo -p x). Configure audisp-syslog to forward all audit events to syslog, then configure rsyslog to forward to your SIEM. Set up SIEM alerts for modification events on the credential files and for unexpected sudo usage patterns.

How should I handle SSH hardening when servers use password authentication for legacy systems?

Migrate legacy password-authenticated systems to key-based authentication before disabling PasswordAuthentication. The migration process: generate SSH key pairs for all admin users, distribute public keys to authorized_keys on target servers, test key-based authentication works for all accounts, then disable PasswordAuthentication. If a specific subset of servers cannot migrate to key-based auth due to application constraints, create a separate SSH daemon configuration (Match blocks in sshd_config or a secondary sshd instance on a non-standard port) that enables password authentication only for specific source IPs or user accounts, rather than enabling it globally.

What Ansible roles are available for CIS Linux hardening?

The dev-sec/ansible-collection-hardening collection (available on Ansible Galaxy) is the most widely used open-source CIS hardening role. It covers OS hardening, SSH hardening, and MySQL hardening with configurable variable overrides for exceptions. The collection supports both RHEL-family and Debian-family distributions. For enterprises with CIS SecureSuite membership, CIS provides official Ansible roles that map directly to benchmark controls with documented variable names matching CIS recommendation IDs. Both options require customization via variable overrides for workload-specific exceptions; review the defaults/main.yml file in whichever role you use to understand the available tuning parameters before your first deployment.

Sources & references

  1. CIS Benchmarks for Linux: RHEL 9 and Ubuntu 22.04
  2. NIST SP 800-123: Guide to General Server Security
  3. RedHat Security Hardening Guide for RHEL 9
  4. Lynis Security Auditing Tool Documentation
  5. OpenSCAP Security Compliance Scanning Documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.