hardening-linux-endpoint-with-cis-benchmark

# Hardening Linux Endpoint with CIS Benchmark ## When to Use Use this skill when: - Hardening Linux servers (Ubuntu, RHEL, CentOS, Debian) against CIS benchmarks - Automating Linux security baselines using Ansible, OpenSCAP, or shell scripts - Meeting compliance requirements (PCI DSS, HIPAA, SOC 2) for Linux endpoints - Remediating findings from vulnerability scans or security audits **Do not use** for Windows hardening (use hardening-windows-endpoint-with-cis-benchmark). ## Prerequisites - Root or sudo access on target Linux endpoints - CIS Benchmark PDF for target distribution (from cisecurity.org) - OpenSCAP or CIS-CAT for automated assessment - Ansible for enterprise-scale remediation (optional) ## Workflow ### Step 1: Filesystem Configuration (Section 1) ```bash # 1.1.1 Disable unused filesystems cat >> /etc/modprobe.d/CIS.conf << 'EOF' install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true EOF # 1.1.2 Ensure /tmp is a separate partition with nodev,nosuid,noexec # /etc/fstab entry: # tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 systemctl unmask tmp.mount systemctl enable tmp.mount # 1.1.8 Ensure nodev option on /dev/shm mount -o remount,nodev,nosuid,noexec /dev/shm echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" >> /etc/fstab # 1.4 Secure boot settings chown root:root /boot/grub/grub.cfg chmod 600 /boot/grub/grub.c...