🛡️ Host Security Hardening Playbook (SOP)

Classification: Internal / Restricted
Target OS: Fedora Linux (Workstation/Server)
Author: Youssef Khafaja (0xAlphaDark)
Version: 1.1.0

⚠️ Disclaimer

This guide focuses on maximum security posture, sometimes at the cost of usability and convenience.

Apply changes gradually and always test on non-production systems first.
Some configurations may break VPNs, containers, development tools, or local services.

🎯 Target Audience

  • Linux Power Users

  • Security Researchers

  • SysAdmins / DevSecOps Engineers

  • Privacy-Oriented Professionals

This playbook is not intended for casual desktop users.

1. Executive Summary & Threat Model

This procedure establishes a “Defense in Depth” posture for high-value workstations. It assumes the network perimeter is compromised and focuses on host-level resilience.

Threat Model:

  1. Network Intrusion: Unwanted services listening on 0.0.0.0.
  2. Local Privilege Escalation (LPE): Exploiting SUIDs, Kernel bugs, or misconfigurations.
  3. Mandatory Access Control: Preventing root-level damage via SELinux.
  4. Persistence: Malware hiding in user-space (~/.config), systemd units, or cron.
  5. Physical Access: “Evil Maid” and BadUSB attacks.

2. Phase I: The Foundation (SELinux & Firewall)

Objective: Establish the primary containment and perimeter layers.

2.1. SELinux Enforcement (Non-Negotiable)

Fedora’s strongest shield. Even if a service is compromised, SELinux contains the damage.

1sestatus | grep -i mode
2# Must show: enforcing

If disabled:

1sudo nano /etc/selinux/config
2# Set: SELINUX=enforcing
3sudo touch /.autorelabel
4sudo reboot

2.2. Zone-Based Firewalling

Default firewalld configurations are often too permissive. We shift to a “Deny All” strategy.

⚠️ Warning: May disrupt networking, containers, or VPNs.

1sudo firewall-cmd --set-default-zone=drop

Alternative (logs dropped packets):

1sudo firewall-cmd --set-default-zone=block

Allow essential services:

1sudo firewall-cmd --permanent --add-service=dhcpv6-client
2sudo firewall-cmd --reload

Verify:

1sudo firewall-cmd --list-all

3. Phase II: Attack Surface Reduction

Objective: Minimize entry points by disabling unnecessary services and protocols.

3.1. Audit Listening Ports

Identify all “noisy” services listening on interfaces.

1# -t (tcp), -u (udp), -l (listening), -p (processes), -n (numeric ports)
2sudo ss -tulpn
  • Target State: Clean output. No service should listen on 0.0.0.0 unless explicitly authorized.

3.2. Disable Legacy & Discovery Protocols

Services like wsdd (Windows Discovery) and avahi (mDNS) are noisy and expand the attack surface.

1# Stop, Disable, and Mask services to prevent dependency activation
2sudo systemctl stop wsdd avahi-daemon cups
3sudo systemctl disable wsdd avahi-daemon cups
4sudo systemctl mask wsdd avahi-daemon cups

3.3. Harden systemd-resolved

Prevent local spoofing/poisoning attacks (LLMNR/mDNS).

Action: Edit /etc/systemd/resolved.conf:

1[Resolve]
2LLMNR=no
3MulticastDNS=no
4DNSOverTLS=yes
5DNSSEC=yes # Warning: strict DNSSEC may cause resolution failures on some ISPs.

⚠️ May break some captive portals.

Apply:

1sudo systemctl restart systemd-resolved

3.4. SSH Hardening (If Service is Required)

If sshd is necessary, ensure it adheres to strict auth standards.

Action: Edit /etc/ssh/sshd_config:

PermitRootLogin no          # Never allow root login directly
PasswordAuthentication no   # Keys ONLY
X11Forwarding no            # Prevent GUI isolation bypass
Banner no                   # Don't leak OS version

Reload:

1sudo systemctl reload sshd

4. Phase III: System Integrity & Permissions

Objective: Detect previous tampering and lock down user/system boundaries.

4.1. RPM Integrity Verification (The “Gold” Check)

Leverage the immutable package database to detect modified binaries.

1# Verify all packages (-a), verbose (-V)
2# Grep excludes config files ('c') which are expected to change
3sudo rpm -Va | grep -v '^......... c'
  • Critical Alerts: Look for 5 (MD5/Digest mismatch) on /bin/*, /sbin/*, or /usr/lib/*.

4.2. SUID/SGID Audit

Find executables that run with Root privileges regardless of the user.

1# Find files owned by root with SUID bit set
2sudo find / -user root -perm -4000 -print 2>/dev/null
  • Analysis: Verify no unexpected binaries only (e.g., python, vim, find) appear here. These are GTFOBins vectors.

4.3. Filesystem Permissions & Umask

Restrict visibility of user data and ensure new files are private by default.

1# 1. Lockdown Home Directory (Prevent other users from peeking)
2sudo chmod 700 /home/alpha
3
4# 2. Set strict umask in /etc/profile or ~/.bashrc
5# Default is usually 022 (readable by others). 077 makes files private to owner.
6umask 077

5. Phase IV: Kernel & Filesystem Hardening

Objective: Configure the kernel to be “Paranoid” and restrict mount points.

5.1. Sysctl Hardening

Action: Create /etc/sysctl.d/99-security-hardening.conf:

 1# --- Kernel Self-Protection ---
 2kernel.kptr_restrict = 2             # Hide kernel pointers (prevents address leaks)
 3kernel.dmesg_restrict = 1            # Restrict dmesg buffer to root
 4kernel.yama.ptrace_scope = 1         # Restrict Ptrace (anti-debugging)
 5kernel.randomize_va_space = 2        # Full ASLR
 6net.core.bpf_jit_harden = 2          # Harden BPF JIT compiler against spraying
 7
 8# --- Filesystem Protection ---
 9fs.protected_hardlinks = 1           # Prevent hardlink TOCTOU attacks
10fs.protected_symlinks = 1            # Prevent symlink TOCTOU attacks
11fs.protected_fifos = 2
12fs.protected_regular = 2
13
14# --- Network Hardening ---
15net.ipv4.conf.all.accept_redirects = 0  # Ignore ICMP redirects (MITM prevention)
16net.ipv6.conf.all.accept_redirects = 0
17net.ipv4.conf.all.accept_source_route = 0
18net.ipv4.conf.all.log_martians = 1      # Log packets with impossible addresses

Apply:

1sudo sysctl --system

5.2. Secure Mount Options

Prevent execution of binaries from temporary directories.

Action: Update /etc/fstab for /tmp (and /home if separate partition).

  • Add flags: nodev, nosuid, noexec (for /tmp).

  • Note: noexec on /tmp may break some scripts; test accordingly.

  • ⚠️ May affect pip/npm/rustup installers.

6. Phase V: Persistence Hunting

Objective: Detect malware surviving reboots in User Space.

XDG Autostart: Check

1ls ~/.config/autostart/
2ls /etc/xdg/autostart/

Systemd User Units:

1systemctl --user list-unit-files | grep enabled

Shell Hooks:

1grep -E "alias|export" ~/.bashrc ~/.zshrc ~/.profile

Cron & Timers:

1crontab -l
2systemctl list-timers --all

7. Phase VI: Logging & Detection (Auditd)

Objective: Establish visibility on “Who executed What”.

Action: Add to /etc/audit/rules.d/audit.rules:

1## -- Execution Monitoring --
2# Log all command executions (64-bit and 32-bit)
3-a always,exit -F arch=b64 -S execve -k command_execution
4-a always,exit -F arch=b32 -S execve -k command_execution
5
6## -- Identity & Priv Escalation --
7-w /etc/group -p wa -k identity
8-w /etc/passwd -p wa -k identity
9-w /etc/sudoers -p wa -k priv_esc

Restart:

1sudo service auditd reload

8. Phase VII: Physical Security & Supply Chain

Objective: Hardware-level security and isolation.

8.1. USBGuard (Anti-BadUSB)

Prevent unauthorized USB devices from connecting while the screen is locked or if the device is unknown.

1sudo dnf install usbguard
2# Generate initial policy allowing current devices
3sudo usbguard generate-policy > /etc/usbguard/rules.conf
4sudo systemctl enable --now usbguard

8.2. Rootless Containers

Ensure Podman runs without root privileges to contain container breakouts.

1podman info | grep "rootless: true"

8.3. Secure Boot

1mokutil --sb-state
2# Verify Secure Boot is enabled to protect the boot chain.

9. Phase VIII: Disk Encryption

Verify LUKS:

1lsblk -f

Ensure root and home partitions are encrypted.

10. Phase IX: Backup & Recovery

Security without recovery is incomplete.

Recommended tools:

  • BorgBackup

  • Restic

  • Timeshift (Desktop)

Ensure backups are encrypted and offline-capable.

11. Maintenance Routine

Weekly

1sudo dnf update --security
2sudo rpm -Va | grep -v ' c '
3sudo journalctl -p err -b

Monthly

  • Review firewall rules

  • Audit USBGuard policies

  • Check firmware updates

12. Closing Notes

This baseline reflects real-world defensive practices used in hardened Linux environments. It prioritizes isolation, visibility, and recovery over convenience.

Harden deliberately. Monitor continuously. Recover reliably.

End of SOP.

Secure your shell, 0xAlphaDark.