System Hardening

Security is achieved by reducing attack surfaces, ensuring traceable configurations, and verifiable results.
System hardening means configuring operating systems and services in such a way that they remain stable, secure, and maintainable even under realistic attack assumptions.

I provide support for systematic system hardening based on secure standards, auditable processes, and objective metrics—from the base system to network services to compliance issues.
The goal is a defined level of security that can be automatically tested, documented, and continuously improved.

Knight Dragon Comeli with shield and spear – symbol of security architecture and system hardening.

Goals & Approach

Comeli dragon presents security measures based on an architectural plan for structured system hardening.

A hardened system is not a product of chance, but the result of a structured approach.

The focus is on:

  • Targeted reduction of unnecessary attack surfaces
  • Clean, traceable configurations
  • Clear separation of security-critical and optional measures

I combine technical, organizational, and procedural measures and integrate them into existing operating and deployment processes.

All hardening measures are documented, versioned, and regularly reviewed.

Hardening is based on best practice standards, real threat models, and operational requirements—not on blindly processed checklists.

Objective evaluation with Lynis

Display of an audit report on a monitor for evaluating the degree of system hardening with Lynis.

To objectively evaluate the degree of hardening, I use Lynis—an established audit tool for Unix-based systems. Among other things, Lynis analyzes:

  • Operating system and kernel configurations
  • User and rights management
  • Network and service configurations
  • Logging, audit, and compliance aspects

The resulting Lynis score serves as a transparent reference point for: Prioritizing measures, comparing systems, and monitoring progress and configuration drift

The score is not an end in itself, but a measurable basis for decisions and continuous improvement.

Operating System & Kernel

Comeli dragon working on a laptop with a kernel and system diagram displayed for system hardening of Linux operating systems.

A securely configured kernel forms the basis of any system hardening.

Key areas include:

  • secure kernel parameters (sysctl)
  • deactivation of unnecessary kernel modules
  • restrictive device and file system permissions
  • secure boot and runtime settings

Measures are always evaluated in the context of the system role in order to maintain a balance between security and stability.

Authentication & Rights

Comeli dragon as a vampire in formal attire with bats in the background to represent access control and authorization management.

Misconfigured access rights are among the most common causes of security incidents.

I provide support for:

  • SSH hardening and key-based authentication
  • Clean sudo and role concepts
  • Clear password, session, and timeout policies
  • Transparent user and group management

The goal is to achieve minimal, verifiable rights assignment without operational restrictions.

Network & Services

Comeli dragon analyzing network and service structures using a diagram to reduce attack surfaces.

Every open port increases the attack surface.

Therefore, the focus is on clear, restrictive network concepts:

  • Firewall and filter rules (e.g., nftables/iptables)
  • Deactivation of unnecessary services
  • Secure communication profiles (TLS, cipher suites)
  • Separation of internal and external communication paths

Network hardening always takes place in close coordination with operations and monitoring.

Logging &
Auditing

Without clean logging, security cannot be verified.

I implement concepts for:

  • structured and centralized log collection
  • audit logs with tamper protection
  • defined retention and evaluation strategies
  • regular re-audits, e.g., with Lynis

This allows the security status, changes, and deviations to be traced at any time.

Mandatory Access Control
(SELinux / AppArmor)

Mandatory Access Control is one of the most effective but also most demanding hardening measures.

I provide support in:

  • Assessing whether MAC is useful and realistic
  • Productive operation in enforcing mode
  • Analysis and reduction of false positives
  • Development, maintenance, and debugging of your own policies

The focus is on understanding, maintainability, and operational reliability—not on blind activation.

Trainings

You can find specific trainings and current topics in the Comelio GmbH training catalog.
Available in-house at your company, as a webinar, or as an open training—designed to meet different requirements.

View trainings

Frequently asked questions about System Hardening

In this FAQ, you will find the topics that come up most frequently in consultations and training sessions. Each answer is kept brief and refers to further content where necessary. Can’t find your question? Feel free to contact me.

Comeli dragon leans against a ‘FAQ’ sign and answers questions about System Hardening.

What is the difference between hardening and “security by default”?

Security by default describes the secure default settings of a system. System hardening goes beyond this: it evaluates actively used functions, specifically reduces attack surfaces, and adapts configurations to real threats and operational requirements.

Hardening is always context-dependent—not every recommended measure is appropriate in every environment.

Does a system have to be restricted as much as possible to ensure maximum security?

No. Maximum restriction often leads to unstable operation and increased administrative effort.

The goal of system hardening is controlled security, not maximum restriction.

A good hardening concept balances security, availability, and maintainability and documents consciously made decisions.

How meaningful is a Lynis score really?

The Lynis score is a benchmark, not an absolute quality indicator.

A lower score may be deliberately accepted in certain scenarios if measures are not operationally feasible—the decisive factors are justification and transparency.