[INTPenis]

I just heard about this tool but someone else said it simply enumerates defaults already present in most distros.

I can tell you one thing that makes real changes to RHEL at least, CIS Benchmark. It hardens your system by tightening up file permissions, user logins, disables old protocols, sets partition flags and more.

But the best hardening imho doesn't follow any set standard, rather application dependent isolation using containers and MACs like SElinux and MCS (multi-category security).

https://docs.redhat.com/en/documentation/red_hat_enterprise_...

[mboelen]

That is also why Lynis does not follow a specific set, but applies generic principles from multiple sources. Yes, some of the items may be default (now) in Linux distributions, but often they are still aren't. For example, most systemd services definitely can use more strict defaults. The distribution is typically not making the changes, to avoid breaking things for the end-user. This is where Lynis comes in, being independent of any big commercial organization (yes, looking at you Red Hat). While working on Lynis for 17 years now, I can say some things definitely improved in Linux distributions, but still so many things that could be much better secured out-of-the-box.

[viraptor]

CIS itself may have good ideas, but the implementation is mostly bullshit. Compare the actual differences between a CIS Ubuntu docker images and a plain one. There's 3 valid changes you can do by hand and the rest is snake oil that makes the image larger as a bonus.

[INTPenis]

I wouldn't say it's mostly BS, it's mostly common sense stuff that distros should have done already.

I don't know about the Ubuntu CIS image but I had to go through the whole CIS PDF for a job once, and implement it all with Ansible on RHEL. I can guarantee that it makes useful changes, and it truly makes a difference to how you use the system.

But in general this type of hardening is mostly used to fulfill some contract, and it's designed around how Linux was used 20 years ago.

My personal preference is to 1) treat linux servers as appliances and stop letting people login, 2) use containers, MACs, MCS and other such isolation tailored for specific services, 3) network ACL and segmentation up the wazoo, 4) MFA access control and 5) encrypt all the things.