bagelhole/linux-hardening
security/hardening/linux-hardening/SKILL.md
Apply CIS benchmarks and secure Linux servers. Configure SSH, manage users, implement firewall rules, and enable security features. Use when hardening Linux systems for production or meeting security compliance requirements.
$ install --global
skillsauthnpx skillsauth add bagelhole/devops-security-agent-skills linux-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 5:06 PM5.6s4 files scanned
SKILL.md
- name:
- linux-hardening
- description:
- Apply CIS benchmarks and secure Linux servers. Configure SSH, manage users, implement firewall rules, and enable security features. Use when hardening Linux systems for production or meeting security compliance requirements.
- license:
- MIT
- author:
- devops-skills
- version:
- 1.0
Linux Hardening
Secure Linux servers following CIS benchmarks and security best practices.
When to Use This Skill
Use this skill when:
- Hardening production servers
- Meeting compliance requirements
- Implementing security baselines
- Configuring secure SSH access
SSH Hardening
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy admin
Protocol 2
User Security
# Password policy
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
# Lock inactive accounts
useradd -D -f 30
# Audit sudo usage
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers
Firewall Configuration
# UFW setup
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 443/tcp
ufw enable
# Or iptables
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Kernel Hardening
# /etc/sysctl.d/99-security.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
# Apply
sysctl -p
File Permissions
# Critical files
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /root
chmod 600 /etc/ssh/sshd_config
# Find world-writable files
find / -type f -perm -0002 -ls
# Find SUID files
find / -perm -4000 -type f -ls
Audit Configuration
# Install auditd
apt install auditd
# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k actions
-a always,exit -F arch=b64 -S execve -k exec
Best Practices
- Disable unused services
- Keep system updated
- Use fail2ban for intrusion prevention
- Enable SELinux/AppArmor
- Regular security audits
- Monitor log files
- Implement least privilege
Related Skills
- cis-benchmarks - Compliance scanning
- firewall-config - Firewall rules
Related Skills
bagelhole/sre-dashboards
development
VerifiedTrustedCommunity
Design and operationalize SRE dashboards that surface reliability, latency, error, saturation, and capacity signals across services. Use when building observability views for SLOs, incident response, and executive reliability reporting.
28SKILL.mdUpdated May 23, 2026
bagelhole/openclaw-security-hardening
testing
VerifiedTrustedCommunity
Harden OpenClaw self-hosted environments with baseline host controls, auth tightening, secret handling, network segmentation, and safe update/rollback workflows. Use when deploying OpenClaw in home labs, startups, or production-like local AI infrastructure.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/vector-database-ops
devops
VerifiedTrustedCommunity
Deploy, manage, and optimize vector databases for AI applications. Covers Qdrant, Weaviate, pgvector, and Pinecone — collection management, indexing strategies, backup, and performance tuning for production RAG and semantic search workloads.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/model-serving-kubernetes
testing
VerifiedTrustedCommunity
Deploy ML models on Kubernetes with KServe (formerly KFServing) and NVIDIA Triton Inference Server. Includes canary deployments, autoscaling, model versioning, A/B testing, and GPU resource management for production model serving.
28SKILL.mdUpdated Apr 3, 2026