Hardening Linux with CIS Benchmarks

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 29 views · 1 min read

What are CIS Benchmarks?

The Center for Internet Security (CIS) publishes detailed hardening guidelines for operating systems. These benchmarks represent consensus best practices from security professionals worldwide.

Key Recommendations

Filesystem

# Disable unused filesystems
echo "install cramfs /bin/true" | sudo tee /etc/modprobe.d/cramfs.conf
echo "install squashfs /bin/true" | sudo tee /etc/modprobe.d/squashfs.conf
echo "install udf /bin/true" | sudo tee /etc/modprobe.d/udf.conf

Network

# Disable IP forwarding (unless needed)
net.ipv4.ip_forward = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

Authentication

# Password aging (/etc/login.defs)
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14

# Lockout after failed attempts (/etc/security/faillock.conf)
deny = 5
unlock_time = 900

Auditing

sudo apt install -y auditd
sudo systemctl enable --now auditd

# Monitor sensitive files
sudo auditctl -w /etc/passwd -p wa -k identity
sudo auditctl -w /etc/shadow -p wa -k identity
sudo auditctl -w /etc/sudoers -p wa -k sudo_changes