If you wants to make your Linux server very strong and safe, you must not just guessing. Many people they just change settings but they do not measure the security first. This is like playing a game with eyes closed because you do not know if you winning or losing. We need three special tools for measuring our computer security so we can see the real score. These tools is OpenSCAP for checking official rules, Lynis for general tips, and systemd-analyze security for looking at system services. If we do not measure first, we are just pretending to do security and that is bad. In this guide, I will show you how to install and run these tools on Fedora Linux so you can see your real security score.
Step 1 Installing the Security Tools on Fedora
First we must install all the packages we need. I use Fedora 44 because it has many new packages and uses dnf5 which is very fast. We write a long command with sudo to get everything from the repository. This command will install Lynis, OpenSCAP scanner, security guides, audit tool, fail2ban, and other security helpers.
sudo dnf5 install -y lynis aide audit fail2ban openscap-scanner scap-security-guide policycoreutils-python-utils setroubleshoot-server usbguard
Let me explain why we need all these things. The scap-security-guide package is the most important one because it has all the files with rules for different systems. Without this guide, the OpenSCAP scanner is stupid and does not know what to check. We also install usbguard because it blocks bad USB devices that want to steal your data. The audit package helps to log everything that happens on your system, and fail2ban is good for blocking bad people who try to guess your SSH password. We also get policycoreutils-python-utils and setroubleshoot-server to help us understand SELinux when it blocks something.
Step 2 Finding the Right Security Profile
Now we have the tools we need to find what security profiles we can use. Profiles are like a list of rules from big groups who know about security. To find what profiles Fedora has, we run a special command to read the XML data stream file.
sudo oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml | head -25
When you run this command, it show you many lines of text on the terminal screen. On Fedora 44 with the latest scap-security-guide, you will see eight different profiles. These profiles is for different jobs. For example, if you run a server, you should choose cis_server_l1. If you have a desktop computer, you can use cis_workstation_l1 or cusp_fedora. If you work with money and credit cards, you must use pci-dss because it is the official standard. It is very important to look at this list so you do not choose the wrong profile for your system.
Step 3 Running the First OpenSCAP Scan
When you choose your profile, now we must run the scan to see our starting score. This is called baseline scan because it shows how safe the system is before we change anything. We tell the scanner to write a report in HTML format so we can read it easily in web browser, and also in XML format so the computer can read it.
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --report /tmp/oscap-baseline.html --results /tmp/oscap-baseline.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
This command takes about one or two minutes to finish because it check many things on your machine. While it is running, you see many lines printing on your screen very fast. Each line has a rule name and says “pass” or “fail” or “notapplicable”. Do not be scared if you see many “fail” because a fresh Linux installation is not hardened yet.
Step 4 Checking the OpenSCAP Scan Score
When the scan is finished, we want to know our score quickly without opening the big HTML file. We can use grep tool to find the score from the XML file we saved in the temp directory.
sudo grep -oE "score>[^<]+" /tmp/oscap-baseline.xml
Also we want to count how many rules passed and how many failed. We run another grep command for this.
sudo grep -oE "(pass|fail|notapplicable|notselected)" /tmp/oscap-baseline.xml | sort | uniq -c
On a fresh Fedora 44 cloud image, the score is usually around 74.66. It will show something like 176 passes and 120 fails. This means there are many things we need to fix. If you open the file /tmp/oscap-baseline.html in your web browser, it is very beautiful. It has colors and explains every fail. The best thing is that if you click on a failed rule, it shows you the exact Bash script or Ansible task you can use to fix it. This is very good for learning.
Step 5 Running Lynis for General System Audit
OpenSCAP is very good for official rules, but we also need a general check. Lynis is another great tool that does a quick audit of the whole operating system. It checks your boot loader, your SSH config, your storage, your users, and other things. We can run a system audit with Lynis and filter the results so we only see warnings and suggestions.
sudo lynis audit system | grep -E "Hardening index|Warnings|Suggestions"
When I run this on my machine, the hardening index was 68. Lynis also gave me 3 warnings and 34 suggestions. The suggestions are very useful because they say things like “you should disable compilers for normal users” or “you must change permission of this file”. Lynis also gives you a unique test ID for each suggestion, so you can search on the Lynis website to find how to fix it.
Step 6 Checking Services with Systemd Analyze
The last tool we use is systemd-analyze. This tool is already inside systemd, so you do not need to install extra things for it. It checks how safe each system service is. Many services run as root, and this is dangerous because if a hacker hacks the service, they get control of the whole computer. We run this command to see the exposure level of our services.
systemd-analyze security --no-pager | head -15
This command shows a list of all services and a number from 0 to 10. If the number is 0, it means the service is very safe and sandboxed. If the number is 10, it is very dangerous and has no protection. In a normal system, most service has a score more than 7. This is bad because they run with too much power. We can use this score to make our systemd service files more safe later.
In conclusion, hardening a Linux system is not just about turning off things and hoping it is safe. We must use these three tools to measure everything. OpenSCAP shows us the compliance score, Lynis shows us general system security, and systemd-analyze shows us service safety. If we use them together, we can see if our changes really make the system more secure. You should run these tests before you make changes, and then run them again after you make changes to see if the scores go up.