PS Product SecurityKnowledge Base

๐Ÿง Linux Base Image and Host Security Baseline

Intro: Linux is the quiet dependency under almost everything else in this archive. Weak host and base image hygiene quietly undermines container security, CI runners, Vault nodes, and self-managed GitLab.

What this page includes

  • a baseline hardening checklist
  • comments on why each area matters
  • operational commands
  • cross-links to container and GitLab pages

Baseline checklist

Identity and access

  • disable direct root login over SSH
  • require MFA where practical for admin access
  • use sudo sparingly and audit it
  • remove unused local accounts and stale SSH keys

Patch and package hygiene

  • install only what is needed
  • patch regularly
  • prefer supported distributions and supported package sources
  • inventory kernel and userland versions

Logging and time

  • enable audit and auth logs
  • centralize logs where possible
  • keep time synchronized
  • protect log destinations and retention

Network

  • disable unnecessary listening services
  • use host firewall rules
  • restrict administrative access paths
  • separate management and application traffic where possible

Secrets and files

  • do not store secrets in world-readable files
  • reduce file permissions
  • protect SSH private keys and service credentials
  • mount sensitive filesystems with sane options when possible

Kernel and runtime

  • disable unnecessary kernel modules where appropriate
  • reduce swap risk for sensitive systems if required by product guidance
  • monitor for suspicious privilege escalation or persistence patterns

Useful commands

ss -tulpn
sudo systemctl list-unit-files --type=service
sudo grep -E '^(PermitRootLogin|PasswordAuthentication)' /etc/ssh/sshd_config
sudo lastlog | head
sudo find / -xdev -perm -4000 -type f 2>/dev/null
sudo journalctl -p warning -b

Commentary

  • No SSH hygiene, no security story. Too many environments still rely on permissive SSH settings and shared keys.
  • Reduce package count. Every package becomes part of your attack surface and patching burden.
  • Logging is a control, not a side effect. If you cannot prove who changed access or configuration, you do not have durable control.

Top 10 Linux misconfigurations

  1. Root login allowed over SSH
  2. Password authentication left enabled without strong controls
  3. Unused services left listening
  4. World-readable secrets or permissive file modes
  5. Stale local users or shared admin accounts
  6. Missing audit and auth log retention
  7. Delayed patching on internet-facing systems
  8. Overbroad sudo privileges
  9. Weak separation of management traffic
  10. Base images or AMIs built ad hoc without standard hardening