#48SECURITYPROTECT
Host Hardening
Secure baseline configuration
Medium
Overview
Secure server configuration: firewall, SSH hardening, user management, baseline security settings.
Why It Matters
Reduce attack surface. CIS benchmarks, unnecessary services disabled.
The Risk
Unhard servers are low-hanging fruit for attackers. Default configurations, weak SSH, and unnecessary services provide easy entry points. Once breached, lateral movement is trivial.
Implementation Components
A complete implementation of this capability includes:
- CIS benchmark application for your OS
- SSH hardening (key-only auth, no root login)
- Firewall configuration with default-deny
- Unnecessary services disabled
- Regular security scanning (Lynis)
- Automated hardening via configuration management
Implementation Pattern
- 1Apply security benchmarks
- 2Configure firewall
- 3Harden SSH
- 4Disable unused services
Pipeline Coverage
This continuous capability monitors and applies to the following pipeline phases:
DEVELOPSTAGERELEASE
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Enables (unlocks)
Same Layer
Other capabilities in this continuous layer
- •#44 Database Backups
- •#45 System/App Backups
- •#46 Restore Verification
- •#47 Restore Drills
- •#49 Config Drift Detection
+5 more