Don’t Skip Linux Secure Configurations

Written by David Worthington on July 28, 2022

Share This Article

Hardening policies are commonly applied to Windows devices through Active Directory, Mac devices through an Apple MDM, or to both an open directory platform such as JumpCloud. But, establishing secure configurations for Linux is a more complex undertaking. As a consequence, it’s either not done or falls by the wayside. That’s why JumpCloud provides its users with a set of policies, based upon industry best practices, that work across Linux distributions for individual devices and groups.

Secure configurations are an important aspect of good IT hygiene. Endpoint detection and response (EDR), least privilege computing practices to manage entitlements, and patching are less effective without uniform policies to secure your devices. These policies strike a balance between a strong security posture and user productivity by providing options to harden surface controls that can be customized to best fit your organization’s unique requirements.

For instance, a policy that disables macros in Windows helps to guard against future vulnerabilities. Security experts have identified similar controls to defend Linux systems. If you harden your Windows systems, you should also harden your Linux devices.

Linux Secure Configurations Shouldn’t Be Disregarded

Secure configurations for Linux aren’t as straightforward or familiar to IT teams. In general, Linux devices aren’t managed as diligently as Windows systems, leaving a gaping hole in the visibility and oversight of IT infrastructure. One challenge is that IT admins may find that there’s more than one Linux distribution in their fleet. Even Windows shops encounter security appliance images that are Linux-based, e.g., devices such as security camera DVRs, or Raspberry Pi used for shop floor applications. Different home users may also have separate partitions, adding to IT’s administrative burden. Further, when there are hundreds of Windows PCs and only a handful of Linux devices, Linux security may become less of a priority.

IT organizations that are proactive about security shouldn’t accept the risk. JumpCloud’s approach to cross-OS management solves that problem and makes it easy.

Ask yourself… Is it worth leaving any unmanaged device on your network when you’ve heavily invested in security everywhere else? Linux malware is on the rise and many small and most medium-sized enterprises (SMEs) aren’t ready for it.

JumpCloud Secures and Manages Linux Systems

JumpCloud’s Linux security policies are pre-built and based upon industry best practices. Policies may be applied to individual devices or device groups for enrollment at scale. It’s as simple as selecting a policy and checking the appropriate boxes for your settings. JumpCloud’s agent supports current versions of: 

  • Amazon Linux
  • CentOS
  • Debian
  • Fedora
  • Mint
  • RHEL
  • Rocky Linux
  • Ubuntu 

The open directory platform handles policy deployment for you.

Screenshot of JumpCloud's Linux policy deployment configuration options

Linux Benchmark Policies

JumpCloud already provides Check Disk Encryption to assist with implementing LUKS full-disk encryption across Linux distros in addition to several CentOS server hardening profiles. The following details the new policies that are available for Linux secure configurations:

File Ownership and Permissions

Secures systems files for Linux systems by setting permissions and ownership for system files.

Screenshot of Linux file ownership and permissions policy settings in JumpCloud

Network Parameters

Enhances a system’s network security by setting kernel parameters. This policy can disable IP and packet forwarding, prevent routed packets from being accepted, ignore ICMP broadcasts, enable path filtering and TCP SYN cookies, and log information about suspicious packets.

Screenshot of Linux network parameters policy settings in JumpCloud

Partition and Mount Options

This checks partition and mount options. Directories that are used for system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory’s intended use.

Screenshot of Linux partition and mount options policy settings in JumpCloud

Disable Unused File Systems

Prevents an unauthorized user from introducing data onto or extracting data from a system, you should determine if a filesystem type is not necessary and if so, disable it. Native Linux file systems are designed to ensure that built-in security controls function as expected. Although non-native file systems can be used to solve different kinds of problems, they can also lead to unexpected consequences to both the security and functionality of the system.

SSH Server Configuration

Ensures the SSH server is properly configured. The settings in this policy only apply if the SSH daemon is installed on the system.

Deploy Linux Secure Configurations with JumpCloud

JumpCloud’s open directory provides LDAP services to manage your users and seamlessly syncs with and manages identities that reside in Azure AD and Google Workspace. Linux secure configuration is available at no additional cost, in addition to Windows and Apple mobile device management (MDM) policies to cover your entire fleet. 

JumpCloud extends your ability to securely connect with and manage your resources, regardless of your OS or directory. It can also handle patching those systems, further enhancing your security posture. JumpCloud provides cloud RADIUS and SSO connectivity to manage user identities across domains with integrated multi-factor authentication (MFA). Sign up for free for up to 10 users and devices.

JumpCloud offers a variety of Professional Services to help ease the load your employees face. Learn more or schedule a free 30-minute technical consultation.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter