Working on putting a hardening reference together and would love to get an idea of some of your "best practices" for locking down a Linux system confidently. What Do's and Don'ts do you subscribe to when it comes to locking your machines down after a fresh OS install? Lynis, Tripwire, Samhain, Suricata... any favorites worth exploring? Prefer one program over another?
grsecurity, setup iptables (or use UFW), LUKS (disk encryption), mandatory access control at least for web browser (apparmor, RBAC, tomoyo, SELinux), firejail (for the web browser and other network facing apps), KVM (only VM option that works with grsecurity) with Whonix (for Tor), and try to build it as light as possible (less code, less holes). I dont use intrusion detection since I'm usually behind a router...
Zero-Fill Cryptsetup/LUKS on LVM System install Backup of GPT/MBR, boot sectors, etc rkhunter install rkhunter --propupd Firewall config general programs install firejail everything grsec compile and install reboot And only then I can use my computer without worries.
Great, thanks! Could I trouble you for your insight over in this thread? I'm hoping to have a reference together by EOY and would be in your debt for any help you might offer .
