When implementing Linux in the Enterprise, security is paramount. There is no one step that can be taken to achieve the nirvana of a truly secure environment—rather, the approach is an amalgamation of disparate steps that come together to build an environment that is as safe and secure as it can be. Indeed, this statement brings us to another important point—security is a moving target. As just one example, SSLv2 was considered to be secure and was used to secure websites across the internet for many years. Then came the DROWN attack in 2016, which rendered it insecure. Thus, a server secured for internet traffic (perhaps a frontend web server) in 2015 would have, at the time, been considered secure. However, in 2017, it would have been considered highly vulnerable.

Linux itself has always been considered a secure operating system, though its high and increasing levels of adoption has seen attacks on the rise. Throughout this book, we have advocated, at a high level, good security practices in the design of your Linux estate, for example, not installing unnecessary services on your base operating system image. Nonetheless, there is much more we can do to make our Linux environment more secure and, in this chapter, we will explore the ways in which standards have been developed to ensure the security of Linux environments. Specifically, we will consider the use of the CIS Benchmarks, along with some practical examples of how to apply them.

Specifically, the following topics will be covered in this chapter:

• Understanding CIS Benchmarks
• Applying security policy wisely
• Scripted deployment of server hardening