OS Notes
Operating system security best practices — system hardening techniques, patch management, network security, audit logging, backup strategies, and building defense-in-depth architectures.
Introduction
OS hardening is the process of reducing a system's attack surface by removing unnecessary software, disabling unused services, applying restrictive configurations, and implementing monitoring. A default OS installation is designed for convenience and compatibility — not security. Hardening transforms it into a system that resists attacks even when individual vulnerabilities are discovered.
The principle is simple: every service running is a potential entry point, every user account is a potential target, and every open port is a potential doorway for attackers. Remove what you do not need, restrict what remains, and monitor everything.
Principle: Defense in Depth
No single security measure is perfect. Build layers:
| Layer 1 | Physical Security (locked server room, badge access) |
| Layer 2 | Network Perimeter (firewall, IDS/IPS) |
| Layer 3 | OS Hardening (patching, minimal services, strong configuration) |
| Layer 4 | Application Security (input validation, secure coding) |
| Layer 5 | Data Protection (encryption, access controls, backups) |
| Layer 6 | Monitoring & Response (logging, alerting, incident response) |
If an attacker breaches one layer, subsequent layers still provide protection.
System Hardening Checklist
1. Minimize Installed Software
# Remove unnecessary packages
apt list --installed | wc -l # How many packages?
apt remove --purge telnet rsh ftp # Remove insecure legacy tools
# Disable unused services
systemctl list-unit-files --type=service --state=enabled
systemctl disable cups # No printing needed? Disable it
systemctl disable avahi-daemon # mDNS not needed on server
systemctl disable bluetooth # No Bluetooth on serverRule: If you cannot explain why a service is running, disable it.
2. Keep Systems Patched
Unpatched vulnerabilities are the number one attack vector. Most breaches exploit known vulnerabilities with available patches.
# Enable automatic security updates (Debian/Ubuntu)
apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades
# Manual check and apply
apt update && apt upgrade
# View available security updates
apt list --upgradable | grep -i security
# For critical production systems: test patches in staging first
# Schedule maintenance windows for kernel updates (require reboot)3. User Account Security
# Enforce strong password policy (/etc/security/pwquality.conf)
minlen = 12
dcredit = -1 # At least 1 digit
ucredit = -1 # At least 1 uppercase
lcredit = -1 # At least 1 lowercase
ocredit = -1 # At least 1 special character
# Disable root direct login
passwd -l root # Lock root password
# Use sudo instead (audit trail of who did what)
# Set account lockout after failed attempts (/etc/pam.d/common-auth)
auth required pam_tally2.so deny=5 unlock_time=900
# Remove/lock unused accounts
for user in games lp sync news; do
usermod -L "$user"
usermod -s /usr/sbin/nologin "$user"
done4. SSH Hardening
SSH is the primary remote access method — hardening it is critical:
# /etc/ssh/sshd_config
PermitRootLogin no # Never allow direct root SSH
PasswordAuthentication no # Use key-based authentication only
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers alice bob # Whitelist allowed users
Protocol 2 # Only SSH v2
X11Forwarding no# Generate strong SSH key (client side)
ssh-keygen -t ed25519 -C "alice@company.com"
# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub alice@server5. Firewall Configuration
# UFW (Ubuntu) — simple firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 443/tcp # HTTPS
ufw enable
# iptables (advanced) — drop everything except explicitly allowed
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT6. File System Security
# Mount options for security (/etc/fstab)
/dev/sda2 /tmp ext4 nodev,nosuid,noexec 0 2
/dev/sda3 /var ext4 nodev,nosuid 0 2
# noexec: prevent executing binaries from /tmp
# nosuid: ignore setuid bits
# nodev: prevent device file creation
# Find world-writable files (potential security issue)
find / -type f -perm -002 -not -path "/proc/*" 2>/dev/null
# Find SUID/SGID files (potential privilege escalation)
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null
# Set immutable attribute on critical files
chattr +i /etc/passwd /etc/shadow /etc/group7. Logging and Auditing
# Ensure rsyslog/journald is running and logs are preserved
systemctl enable rsyslog
# Configure log rotation (/etc/logrotate.conf)
# Keep at least 90 days of logs
# Install and configure auditd for security events
apt install auditd
auditctl -w /etc/passwd -p wa -k identity # Watch for changes
auditctl -w /etc/shadow -p wa -k identity
auditctl -w /etc/sudoers -p wa -k sudoers
auditctl -w /var/log/ -p wa -k logfiles
# Review audit logs
ausearch -k identity --start today8. Network Security
# Disable IPv6 if not used
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
# Prevent IP spoofing
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
# Ignore ICMP redirects (prevent MITM)
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
# Disable source routing
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
# SYN flood protection
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
sysctl -p # Apply9. Encryption
- Disk encryption (LUKS): Protect data at rest if physical media is stolen
- TLS everywhere: Encrypt all network communication
- Encrypted backups: Protect backup media with strong encryption
10. Backup Strategy
Even perfect security cannot prevent all incidents. Backups are your last line of defense:
# 3-2-1 Rule:
# 3 copies of data
# 2 different storage media
# 1 offsite copy
# Test restores regularly — untested backups are not backupsSecurity Monitoring
# Check for failed login attempts
grep "Failed password" /var/log/auth.log | tail -20
# Monitor listening ports (should only show expected services)
ss -tlnp
# Check for unauthorized cron jobs
for user in $(cut -d: -f1 /etc/passwd); do
crontab -l -u "$user" 2>/dev/null
done
# File integrity monitoring (detect unauthorized changes)
# Tools: AIDE, Tripwire, OSSEC
aide --init # Create baseline
aide --check # Compare against baselineKey Takeaways
- Default installations are insecure — hardening is mandatory for production systems
- Remove unnecessary software and disable unused services (reduce attack surface)
- Patch promptly — most breaches exploit known, already-patched vulnerabilities
- Use SSH keys instead of passwords; disable root login
- Implement firewall rules with default-deny policy
- Log everything and review logs regularly (or automate alerting)
- Backup religiously and test restores — you will need them eventually
- No single measure is sufficient — defense in depth is the only reliable strategy
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Security Best Practices - OS Hardening.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Operating Systems topic.
Search Terms
operating-systems, operating systems, operating, systems, security, and, protection, best
Related Operating Systems Topics