Q: What are the security hardening steps for production embedded Linux devices?
Answer
Hardening steps: (1) Disable unused services (systemctl disable ). (2) Use AppArmor or SELinux to confine applications. (3) Remove SUID binaries where unnecessary. (4) Enable ASLR: CONFIG_ARCH_HAS_RANDOMIZE_BASE=y. (5) Remove compilers and development tools from production image. (6) Set strong passwords with shadow and PAM (minimum 12 chars complexity). (7) Disable SSH password auth use SSH keys only. (8) Enable auditd for security event logging. (9) Use dm-verity or IMA/EVM for file integrity measurement on boot. (10) Seal the TPM (if available) for disk encryption keys. (11) Set up a firewall with iptables/nftables block all except required ports. (12) Use read-only rootfs with separate /var. (13) Implement secure boot with U-Boot verified boot (FIT images with RSA). (14) Run vulnerability scanning with lynis.
Filed under: FAQ
