Every operating system has its quirks, and Linux security is no different. Whether you’re on Team Penguin or running mostly Windows boxes (or a bit of both), you’ll need to take different steps to manage security on different OSes. Like any OS, Linux security comes with its own peculiarities, pitfalls, and best practices.
In this post, we'll explain what Linux security really means in the modern era of IT, what makes it different from managing security on Windows, and some best practices and approaches we’ve found for securing Linux.
Linux Security is Just What it Sounds Like: It’s How You Ensure Linux OS Security
Linux security describes methods, tools, and metrics for protecting Linux-based operating systems from security vulnerabilities and threats. Linux is a popular OS for ensuring system security because of the customizability afforded by its open source distribution model.
A huge amount of computing is done on Linux and Linux-like operating systems. Large IT systems — the kind that’s been around for decades, or that grew quickly when a company got acquired — often feature multiple heterogeneous OSes commingling in one large environment, including at least one flavor of Linux.
Linux’s open-source nature, modular design, and extensive configurability differentiate it from other operating systems like Windows and macOS. Because the architecture of Linux is so different from other major operating systems, a whole host of tools, practices, and methods for securing Linux have arisen in the world of SecOps.
What’s Unique About Linux from a Security Standpoint?
One of the reasons sysadmins and security engineers prefer Linux for security is because it’s much more flexible than Windows or macOS. That’s partly because you can customize the Linux kernel itself — right down where the operating system interacts with the hardware — to enforce specific security features.
At the heart of Linux’s overall OS security framework is Linux Security Modules (LSM), which allow the Linux kernel to support multiple computer security models. For example, integrating SELinux lets you include mandatory access control (MAC); applying Grsecurity configures and enforces security mechanisms like memory safety, role-based access control (RBAC), and code execution protections on Linux to harden security at the kernel level.
Here are the best practices for how to secure Linux servers >>
Fact or Fiction? Linux is More Secure than Windows
Linux and Windows both provide a broad range of security options. Linux security is highly configurable, making it a sysadmin favorite, but its flexibility can make it much more complex. Windows simplifies security configuration at the expense of more direct control, making it the preferred OS for teams of varying skills and needs.
While securing Linux and securing Windows both have their benefits and drawbacks, both require rigorous effort to apply, maintain, and enforce security policies.
Compared to Windows, security for a Linux OS is less about centralized, GUI-based security management and more about configuration management and command-line control. Linux’s command line-based interfaces make it much more customizable (and more straightforward than Windows automation), but the tradeoff comes at the expense of user friendliness (which Windows, historically designed around the end user, has traditionally excelled at).
In reality, the dichotomy is moot — once you get to a certain scale of IT, you’re unlikely to be managing Windows OR Linux. That’s why it’s more important to find ways to secure each and unify control of your security policies across OSes.
Back to topPopular Linux Security Tools
Tool Name | Description | Cost/Model |
SELinux (Security-Enhanced Linux) | A Linux kernel module that enforces mandatory access control policies, restricting processes' actions to enhance security. | Free and open source |
AppArmor | An alternative to SELinux, AppArmor restricts the capabilities of programs by applying profiles to enforce access controls. Integrated into Linux distros like Ubuntu and Debian. | Free and open source |
Grsecurity | Provides kernel security enhancements that protect against a wide array of exploits and vulnerabilities. |
|
Linux Kernel Runtime Guard (LKRG) | Monitors and detects exploitation attempts in real time, enforcing protection against kernel vulnerabilities. | Free and open source |
| Kernel-level packet filtering and firewall tools for network traffic management and security policy enforcement. Included in all major Linux distros. | Free and open source |
Auditd (Linux Auditing System) | Monitors and logs security-relevant system activity, providing an audit trail for compliance and forensic analysis. Included in Linux distributions. | Free and open source |
Linux OS Security Best Practices
Popular practices for securing a Linux OS include using SELinux for access control, hardening the Linux kernel with a tool like Grsecurity, configuring firewalls with iptables or nftables, managing user privileges with sudo, monitoring file integrity for auditing, using custom Linux security modules, and enforcing security settings with configuration management software.
The tools and methods you use to secure Linux OSes will depend on how you use Linux. But at a base level, there are a few security measures you should ensure in any Linux environment:
- Enable mandatory access control (MAC). SELinux is automatically installed with many Linux distros, while Apparmor is the default MAC provided with Debian-based systems.
- Apply kernel hardening patches with tools like Grsecurity or Linux Kernel Runtime Guard.
- Manage user privileges.
sudocan be used to prevent unauthorized access to root operations, and PolicyKit can fine-tune access control over system-wide privileges. - Configure firewalls at the kernel level. Like any OS, consistent firewall configuration on Linux helps protect Linux machines on your network from unauthorized access and attacks.
iptablesandnftableslet you create rules for managing network traffic, filtering packets, and controlling traffic. - Implement file log integrity for audit trails. The Linux audit daemon Auditd provides an audit trail to track and log security-related events on Linux. You can configure Auditd to monitor for unauthorized access, changes to system configurations, and other activities relevant to the security of your Linux infrastructure.
- Keep a software bill of materials. A software bill of materials (SBOM) is a nested inventory of all the pieces which make up a software component, like package name, version, known vulnerabilities, and more. Since Linux is a modular OS, having visibility into all the modules you’re using across distros helps you detect known vulnerabilities and react when new ones are found.
- Use a configuration management tool. Once you’ve installed the right security software and configured the right security settings, configuration management software cuts down on manual updates and fixes to security configurations (like when configuration drift occurs or you need to update configurations to manage compliance).
- Writing configurations into infrastructure code so they can be automatically managed lets you build your entire security policy as code. That turns OS configurations, application configurations, server configurations, and more into code that can be edited, updated, and reverted from your configuration management tool.
Linux Security Framework: Save Time by Building from Existing Guidelines
A Linux OS security framework doesn’t have to start from scratch. Guidelines in frameworks for governance, risk, and compliance (GRC) and IT security can be used to build a Linux security framework. Examples include CIS Benchmarks, ISO 27001, NIST SP 800-53, DISA STIGs, and more.
Not enough discussions of Linux security and compliance mention the overlapping nature of IT compliance frameworks. IT compliance is a complex web of intersecting and overlapping regulations, frameworks, standards, directives, and guidelines. While different sources are built for different industries (like DISA STIGs for government organizations, contractors, and vendors), the actual requirements in each are often similar.
That means that if you configure a component to match guidance from one compliance framework, you probably meet a similar standard in another framework. Your organization’s own IT compliance framework can be built from these instead of starting from scratch. Comply with one, and you likely comply with more — or at least, you have a leg up.
In terms of Linux security, that means you can build a strong Linux security framework with less effort using frameworks and standards that already exist.
Let’s illustrate the point with an example. Multi-factor authentication (MFA) is a compliance expectation common to many regulations. You can comply with many of those regulations at once by configuring it in a compliant way across your systems. It’s basically the “two birds with one stone” concept, but with one security configuration and several compliance expectations:
- HIPAA § 164.312(d) Technical safeguards require organizations to “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”
- NIST PR.AA-03 requires ensuring that “[u]sers, services, and hardware are authenticated”
- NIS2 Article 21.2(j) requires “the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate”
- PCI-DSS requires measures that “Identify Users and Authenticate Access to System Components”
CIS Benchmarks for Linux
The Center for Internet Security (CIS) has established community-sourced compliance standards (and instructions) for different operating systems, including Linux. These guidelines are called CIS Benchmarks: Freely available, globally recognized baseline configurations that are created to protect systems, data, and users from external threats and IT risk.
As of this writing, there are CIS Benchmarks for more than a dozen Linux distros, from market leaders like Red Hat Enterprise Linux (RHEL), Ubuntu, Debian, and CentOS to more niche distros like AlmaLinux, with benchmarks for multiple versions of each OS.
The CIS Benchmarks specific to Linux address common concerns like root privilege issues, but they’re also incredibly detailed and prescriptive. The CIS Benchmark 2.0.0 for Ubuntu 20.04 LTS, for example, is a PDF almost 1,300 pages long at the time of this writing. Those pages are full of step-by-step instructions and commands to help Linux admins secure their systems faster, stay on top of compliance, and pass audits in less time.
Get more examples of CIS Benchmarks in our blog >>
What’s Right for Your Linux Security Framework?
Your security framework for Linux doesn’t have to be a slog — but it shouldn’t be a slapdash patchwork, either. Consider these questions when crafting or tweaking your approach to security on Linux:
- What security features does your Linux system already include? Linux OS security comes built-in with distros like Debian and Ubuntu.
- How are you managing access to your Linux systems? This includes password policy enforcement, MFA, RBAC, and more.
- How do you protect your data? This may include strong encryption of data — both at rest and in motion — and static or dynamic data masking.
- How many different software pieces make up your OS? Some applications and services are more secure than others.
How Puppet Can Support Linux Security
Puppet’s automated configuration management capabilities give Linux admins a way to centralize and manage Linux security configurations. Puppet lets you change security policies by pushing changes to your Puppet infrastructure code, and Puppet will automatically remediate unapproved changes and drift.
Using Puppet to enforce Linux security policies and support your Linux security framework comes with a few key benefits.
- Puppet’s agent-based automation means you don’t have to SSH in to change configurations or manage security settings manually. It also allows the node to automate autonomously in case of a service interruption or network outage.
- Puppet lets you write configurations in one abstraction language — Puppet DSL — and enforce them across all the different flavors of Linux you might be running. The Puppet agent on each server interprets your commands locally, so you can manage continuous compliance, patching, and access management across servers without missing a beat.
- The Puppet agent on each node checks in with the primary server every 30 minutes by default — that’s 48 times every day — to make sure it has the latest coded configurations. If there’s any discrepancy between the configurations on its node and the primary codebase, the agent will automatically apply the latest configurations locally.
- If you made an intentional change to your Linux security policy on the primary server, the agent will enforce that updated configuration on the next run.
- If a configuration was changed on the node itself — by accident or maliciously — the Puppet agent will enforce remediation to the current configuration.
- Security Compliance Enforcement in Puppet Enterprise Advanced automatically enforces configurations aligned to CIS Benchmarks and DISA STIGs. It saves time on the manual configuration needed to bring your Linux systems into alignment with CIS Benchmarks and STIGs for a wide range of specific Linux distros.
The real benefit of using Puppet for Linux security is that it makes desired state management possible. With Puppet, there’s no wondering what changed or who changed it or when: When something doesn’t align to the infrastructure state you’ve defined, Puppet quickly brings it back into alignment automatically.
By representing infrastructure configurations (including security settings) as code and keeping all managed servers aligned to them, it creates an auditable paper trail for change management and compliance reporting.
Puppet at Staples: A Linux Case Study
 | Staples, a leading retailer of workspace products, chose Puppet to give developers the ability to provision standardized, secure, usable servers running multiple flavors of Linux. |
Instead of spending weeks getting new Linux machines ready for dev use, the Staples team can stand them up in a matter of minutes — fully configured with security policies and more already baked in.
“We’re not just handing out servers,” said Senior Cloud and Automation Engineer Jeff Quaintance. “We’re handing out servers with middleware or database on top of it, moving up the stack. Puppet has really helped us get to that point.”
Need to enforce better, more resilient security policies in your Linux and multi-OS environments? Download our white paper to find out how automation makes security and compliance easier, or get in touch with the Puppet team for a demo of Puppet’s powerful desired state management capabilities.