Dashboard Overview
This report summarizes the 8 exercises performed to harden a Xubuntu 24.04 endpoint. The system's security posture was significantly improved by implementing access controls, threat monitoring, and system hygiene best practices.
Lynis Hardening Score
The initial audit score of 61 was improved by implementing fixes suggested by Lynis, demonstrating measurable security enhancement.
Security Tools Implemented
A suite of security and management tools was installed to provide layered defense and easier administration.
Access Control
This section details how user and application access was secured, from initial login policies to fine-grained, application-level restrictions.
User Account & Password Policy
Inactive accounts were locked, and a mandatory password rotation policy was enforced using the Cockpit web interface.
Inactive Account Locked
User 'bob' was locked to prevent unauthorized access from legacy accounts.
$ sudo usermod -L bob
$ sudo passwd -S bob
bob L ... (Locked)
Password Aging Policy
Policy for user 'alice' set via Cockpit, requiring password changes every 90 days.
$ sudo chage -l alice
...
Maximum number of days between password change : 90
SSH Hardening
Remote root login was disabled in the SSH configuration to mitigate brute-force attacks against the most privileged user.
Mandatory Access Control (AppArmor)
A custom AppArmor profile was generated for a test script, then manually edited to enforce a "deny write" policy, successfully blocking an unauthorized action.
Generate Profile
Used `aa-genprof` to learn the script's normal behavior (including writing a file).
Modify Policy
Edited the profile to change file write (`w`) permission to read (`r`).
Verify Block
The system log confirmed AppArmor blocked the unauthorized write action.
Threat & Integrity Monitoring
This section covers the real-time detection systems implemented to monitor for threats, malware, and unauthorized file changes.
File Integrity Monitoring (FIM)
Used `md5sum` to create a "golden" hash of a file. A simulated tamper was immediately detected when the hash no longer matched.
1. Baseline Hash
md5sum ... > ...md5
2. Simulate Tamper
echo " " >> ...txt
3. Verification
$ md5sum -c ...md5
... FAILED
Antivirus (ClamAV)
Installed `clamav` with the `clamtk` GUI. After updating virus definitions, it successfully detected the EICAR test virus.
1. Update Signatures
sudo freshclam
2. Create EICAR Sample
echo 'X5O!P%...' > ...
3. Detected
ClamTK Result:
Found: eicar-signature
Event Auditing (AuditD)
Configured `auditd` to monitor a critical file. All interactions were logged, providing a clear forensic trail. Click tabs to see what was logged for each action.
$ sudo auditctl -w /home/user/Desktop/audit_target.txt -p rwxa -k audit_demo
type=SYSCALL ... comm="cat" exe="/usr/bin/cat" ... key="audit_demo"
type=SYSCALL ... comm="bash" ... a2=O_WRONLY|O_CREAT|O_APPEND ... key="audit_demo"
type=SYSCALL ... comm="chmod" exe="/usr/bin/chmod" ... key="audit_demo"
System Auditing & Hygiene
This section outlines the preventative maintenance and auditing performed, from the initial Lynis scan to disabling unused services and cleaning the system.
Lynis Audit Result
The final audit shows a Hardening Index of 63, representing the system's security posture *after* applying fixes.
Services & Packages
Unnecessary services were disabled to reduce the attack surface, and the system was cleaned of orphaned packages and old kernels.
Services Disabled
- `cupsd` (Printing Service)
- `avahi-daemon` (Network Discovery)
Final System Cleanup
The final cleanup confirmed no orphaned dependencies remain.
$ sudo apt autoremove --purge
...
0 upgraded, 0 newly installed, 0 to remove...