Comprehensive Linux Hardening Guide: Kernel, Sysctl, Boot Parameters, and Security Best Practices

This document explains how to choose a secure Linux distribution (preferring Gentoo or Void with Musl and LibreSSL) and the appropriate kernel (stable vs. LTS) for a hardened system.

It lists numerous sysctl settings to reduce the kernel attack surface, such as kernel.kptr_restrict=2 , net.ipv4.tcp_syncookies=1 , and fs.protected_symlinks=1 , and shows how to apply them permanently.

Boot‑loader arguments are recommended (e.g., pti=on , lockdown=confidentiality , quiet loglevel=0 ) to enforce kernel self‑protection and limit information leakage.

Mandatory Access Control (SELinux or AppArmor) is enabled via kernel parameters ( apparmor=1 security=apparmor or selinux=1 security=selinux ) and example policies are provided.

Application sandboxing techniques using Bubblewrap, systemd service hardening, or gVisor are described, with a sample systemd service block that restricts capabilities, filesystem access, and system calls.

Memory safety is improved by using hardened_malloc ( LD_PRELOAD="/usr/lib/libhardened_malloc.so" myprogram ) and modern compiler flags (e.g., -flto -fvisibility=hidden -fsanitize=cfi ).

Root account hardening steps include locking the account, restricting /etc/securetty , limiting su to the wheel group, and disabling remote SSH login for root.

A minimal iptables firewall configuration that drops all inbound traffic by default is provided.

Additional hardening topics such as swap swappiness, PAM password policies, microcode updates, IPv6 privacy extensions, secure partition mounting options, entropy collection, BIOS/UEFI passwords, verified boot, USB device control, DMA protection, and physical security recommendations are also covered.