linux secure by default 2026 - SafeITExperts Mastodon Mastodon Mastodon Mastodon

SafeITExperts

SafeITExperts

Your expert guide to cybersecurity and digital privacy. Security hardening for all platforms : Windows, macOS, Linux, and Android. Solutions aligned standards : NIST and ANSSI for comprehensive digital protection.


linux secure by default 2026

Publié par Marc sur 3 Avril 2026, 05:11am

Catégories : #hardening Linux, #SELinux AppArmor, #audit sécurité Linux

Linux secure by default? No. Comprehensive 2026 guide: 13 checks with commands, SELinux, SSH, firewall, LUKS, Lynis. Objectively compare two Linux OSes.

Linux secure by default? No. Comprehensive 2026 guide: 13 checks with commands, SELinux, SSH, firewall, LUKS, Lynis. Objectively compare two Linux OSes.

Linux secure by default? How to check in 2026 | SafeITExperts
Open table of contents

Linux Security Audit 2026: Comprehensive Guide with Commands

Hands-on Commands included 20 min Desktop & Server

By Marc — Editor SafeITExperts  | 

Context: Linux is known to be secure — but a default installation is far from a hardened system. In 2025, 5,530 kernel CVEs were recorded, and 79% of Linux attacks used no malware: they exploited misconfigurations and poorly protected credentials.

Linux Security Audit 2026 — 3D server and shields illustration

This guide covers comprehensively what a user must check:

13 security areas with exact, copy‑paste commands
The expected result for each check
A comparison of secure applications by category
An automated audit tool to get a numeric score
🔴
Critical areas
5
🟠
Important areas
6
🟢
Good reflexes
3
📦
Apps compared
7

How to use this guide

Each tile in the navigation below corresponds to a security area. Click an item in the menu to display the associated commands, expected results, and explanations. Commands are directly copyable.

Recommended priority order: Start with CRITICAL categories — they cover the most exploited attack vectors. Then IMPORTANT, then GOOD REFLEX. Always finish with the Lynis audit (section III) to get a global score.

I. The 13 essential checks

Navigate between categories using the left menu. Each panel displays the commands to run and the expected result.

🛡️ Linux Security Audit 2026 — interactive commands
5 critical
6 important
3 reflexes
Checks
Check updatesCRITICAL
In 2025, 5,530 kernel CVEs were recorded. A 2-week delay on security patches is a measurable risk.
Available packages
# Debian / Ubuntu / Mint
sudo apt update && apt list --upgradable 2>/dev/null | grep -c upgradable
# Fedora / RHEL / AlmaLinux
sudo dnf check-update | wc -l
# openSUSE Tumbleweed / Leap
sudo zypper refresh && zypper list-updates
# Arch / Manjaro
sudo pacman -Sy && pacman -Qu | wc -l
✔ Expected: 0 pending updates.
Automatic security updatesIMPORTANT
# Debian/Ubuntu
systemctl is-enabled unattended-upgrades
# RHEL / Fedora
systemctl is-enabled dnf-automatic
# Pending security packages (RHEL/Fedora)
sudo dnf updateinfo list security
# Current kernel version vs available
uname -r
apt-cache policy linux-image-generic 2>/dev/null || dnf info kernel 2>/dev/null
✔ Expected: enabled. Without automatic updates, a critical vulnerability stays open for weeks.
Accounts with active shellCRITICAL
A rogue UID 0 = a ghost root. An account without a password = an open door.
# Accounts with interactive shell
grep -v '/nologin\|/false' /etc/passwd | cut -d: -f1,3,7
# UID 0 — must be root ONLY
awk -F: '($3 == 0) {print}' /etc/passwd
# Accounts without password (DANGER)
sudo awk -F: '($2 == "" || $2 == "!!") {print $1}' /etc/shadow
✔ Only one UID 0 (root). No empty passwords.
sudo privileges — #1 privilege escalation vectorCRITICAL
# Active sudo rules
sudo cat /etc/sudoers /etc/sudoers.d/* 2>/dev/null | grep -v '^#\|^$'
# Who can use sudo?
getent group sudo wheel | cut -d: -f4
# NOPASSWD : dangerous rule
sudo grep -r 'NOPASSWD' /etc/sudoers /etc/sudoers.d/ 2>/dev/null
ALL=(ALL) NOPASSWD: ALL = root access without exploit. Must be removed.
Recent loginsGOOD REFLEX
last -n 20                    # successful logins
sudo lastb -n 20              # failed attempts
sudo faillock --user $(whoami) # pam_faillock lockout
Effective sshd configurationCRITICAL
sshd -T shows the actually active config, not just the file. Takes Include into account.
sudo sshd -T | grep -E \
  'permitrootlogin|passwordauth|pubkeyauth|maxauthtries|x11forward|permitempty'
# Expected results :
# permitrootlogin no
# passwordauthentication no
# pubkeyauthentication yes
# maxauthtries 3
# x11forwarding no
CVE-2025-26465 / 26466CRITICAL
MITM + DoS pre-auth on OpenSSH < 9.9p2. Disclosed on Feb 18, 2025.
ssh -V   # must be ≥ 9.9p2 or distro‑patched
# CVE-2025-26465 CLIENT side
grep -r 'VerifyHostKeyDNS' /etc/ssh/ssh_config ~/.ssh/config 2>/dev/null
# Mitigation CVE-2025-26466
sudo sshd -T | grep -E 'maxstartups|logingracetime|persourcepenalties'
✔ VerifyHostKeyDNS absent or "no". maxstartups 10:30:60.
SSH key typeIMPORTANT
# Fingerprint and type of local keys
for f in ~/.ssh/*.pub; do
  echo "$f:"; ssh-keygen -l -f "$f" 2>/dev/null
done
# Order: Ed25519 > ECDSA > RSA 4096 > RSA 2048
# RSA 1024 or DSA = compromised, regenerate
# Generate an Ed25519 key (recommended 2026)
ssh-keygen -t ed25519 -a 100 -C "$(whoami)@$(hostname)-$(date +%Y)"
Firewall active?CRITICAL
systemctl is-active firewalld   # openSUSE, RHEL, Fedora
systemctl is-active ufw         # Ubuntu, Debian
systemctl is-active nftables    # modern distros
sudo ufw status verbose
sudo firewall-cmd --state && sudo firewall-cmd --list-all
active or running.
Default policy and IPv6CRITICAL
# INPUT policy (must be DROP)
sudo iptables -L | grep 'Chain INPUT'
sudo ip6tables -L -n | grep 'Chain INPUT'  # IPv6 often forgotten
# Listening ports with process
sudo ss -tlnup
# Ports exposed to the outside
sudo ss -tlnup | grep -v '127.0.0.1\|::1'
Chain INPUT (policy DROP). ip6tables rules present.
Active services and dangerous packagesIMPORTANT
systemctl list-unit-files --type=service --state=enabled
# Clear‑text protocols to remove
dpkg -l telnet rsh-client rsh-server ftp 2>/dev/null | grep '^ii'
rpm -qa telnet rsh rlogin ftp 2>/dev/null
# Compilers (post‑exploit risk)
which gcc g++ cc make 2>/dev/null
✔ Telnet, rsh, rlogin absent or uninstalled.
Suspicious processes and persistenceIMPORTANT
# Top 15 by CPU (cryptominers often here)
ps aux --sort=-%cpu | head -15
# Processes without executable on disk (memory rootkits)
ls -la /proc/*/exe 2>/dev/null | grep deleted
# Crontabs for all users
for u in $(cut -f1 -d: /etc/passwd); do
  cron=$(crontab -u $u -l 2>/dev/null)
  [ -n "$cron" ] && echo "=== $u ===" && echo "$cron"
done
✔ No "deleted" processes. No unexpected outgoing connections.
Security sysctl parametersIMPORTANT
eBPF is a critical attack surface in 2025‑2026. unprivileged_bpf_disabled must be 1.
sudo sysctl \
  kernel.randomize_va_space \
  kernel.kptr_restrict \
  kernel.dmesg_restrict \
  kernel.unprivileged_bpf_disabled \
  net.core.bpf_jit_harden \
  net.ipv4.tcp_syncookies \
  fs.protected_hardlinks \
  fs.protected_symlinks \
  fs.suid_dumpable 2>/dev/null
# Expected: 2 / 2 / 1 / 1 / 2 / 1 / 1 / 1 / 0
Secure Boot and bootloaderGOOD REFLEX
mokutil --sb-state 2>/dev/null           # Secure Boot active?
[ -d /sys/firmware/efi ] && echo "UEFI" || echo "BIOS legacy"
stat -c '%a %U %G %n' /boot/grub*/grub.cfg 2>/dev/null
# Expected: 600 root root
sudo bpftool prog list 2>/dev/null | wc -l # loaded eBPF
SUID files and capabilitiesIMPORTANT
# Files with SUID bit (privilege escalation)
sudo find / -perm -4000 -type f -ls 2>/dev/null | \
  grep -v '/proc\|/sys'
# Extended capabilities on binaries
getcap -r / 2>/dev/null
# World‑writable directories outside /tmp
sudo find / -type d -perm -0002 -ls 2>/dev/null | \
  grep -v '/proc\|/sys\|/dev\|/run\|/tmp\|/var/tmp'
⚠ Any non‑standard SUID binary (find, vim, bash) = immediate escalation.
/tmp mount optionsIMPORTANT
# /tmp must have noexec,nosuid,nodev
findmnt -o TARGET,OPTIONS | grep -E 'noexec|nosuid|nodev'
mount | grep ' /tmp '
# File system integrity (AIDE)
sudo aide --check 2>/dev/null | head -20
✔ /tmp mounted with noexec,nosuid,nodev.
SELinux — status and modeCRITICAL
In permissive mode, SELinux logs but does not block — illusory protection.
sestatus
getenforce
# enforcing  = active protection ✓
# permissive = NO protection
# Recent alerts
sudo ausearch -m avc -ts recent 2>/dev/null | tail -20
sudo journalctl -b | grep 'avc:  denied' | tail -10
✔ Mode enforcing mandatory.
AppArmor — profiles and modeCRITICAL
sudo aa-status
sudo aa-status | grep -E 'enforce|complain'
# 0 profile in "complain" for critical services
sudo aa-enforce /etc/apparmor.d/PROFIL   # enable
✔ 0 profile in complain mode for exposed services.
Active loggingIMPORTANT
systemctl is-active auditd
sudo auditctl -s | grep enabled
# 1 = active  /  2 = immutable (optimal)
systemctl is-active systemd-journald
journalctl --disk-usage
ls -lh /var/log/audit/audit.log 2>/dev/null
✔ auditd active, mode 1 or 2.
Suspicious eventsIMPORTANT
# Failed SSH attempts
sudo journalctl -u sshd | grep "Failed\|Invalid" | tail -20
# sudo escalations
sudo journalctl | grep "sudo:" | \
  grep -v 'session opened\|session closed' | tail -20
sudo fail2ban-client status sshd 2>/dev/null
Active network connectionsIMPORTANT
sudo ss -tunap | grep ESTABLISHED       # established connections
sudo ss -tlnup                          # active listeners
# Unexpected outgoing connections
sudo ss -tunap | grep ESTABLISHED | \
  grep -v '127.0.0.1\|::1\|192.168\|10\.'
DNS and privacyIMPORTANT
cat /etc/resolv.conf                    # DNS resolver
# DNS-over-TLS active?
resolvectl status 2>/dev/null | grep -i 'dns\|tls\|protocol'
ip -6 addr show                         # IPv6 enabled?
sudo ip6tables -L -n 2>/dev/null | head -5  # IPv6 firewall
✔ DNS-over-TLS enabled. ip6tables rules present.
Falco — runtime detectionIMPORTANT
Falco (CNCF graduated) monitors system calls and detects abnormal behaviour (shells in containers, suspicious mounts, etc.).
# Check if Falco is installed and active
systemctl is-active falco 2>/dev/null || systemctl is-active falco-kmod 2>/dev/null
# Latest alerts
journalctl -u falco --since "1 hour ago" | grep -i "alert\|warning"
# For Kubernetes environments:
kubectl get pods -n falco 2>/dev/null || echo "Falco not deployed in K8s"
✔ Falco active, no recent critical alert. Absent on a desktop = acceptable, on a production server = missing.
Containers: privileges and isolationIMPORTANT
Containers must run as non‑root and with reduced capabilities.
# Check running containers
docker ps 2>/dev/null || podman ps 2>/dev/null || echo "No container runtime"
# Containers running as root (dangerous)
docker ps -q 2>/dev/null | xargs -I {} docker inspect {} | grep -E '"User":""|"User":"0"'
⚠ No container running as root. Use --user or Kubernetes securityContext.
LUKS disk encryptionCRITICAL
Without LUKS, stealing the disk is enough to read all your data — even with a locked session.
# Active LUKS volumes
sudo lsblk -o NAME,TYPE,FSTYPE,MOUNTPOINT | grep -i crypt
# Root partition encrypted?
sudo cryptsetup isLuks /dev/sda3 2>/dev/null && \
  echo "LUKS ✓" || echo "Not encrypted"
# Adapt /dev/sda3 (lsblk)
sudo cryptsetup luksDump /dev/YOUR_PARTITION 2>/dev/null | \
  grep -i 'cipher\|hash\|key'
✔ Type crypto_LUKS. Cipher: aes-xts-plain64.
Encrypted swap and SSH keysIMPORTANT
swapon --show
grep swap /etc/crypttab 2>/dev/null
# Private key permissions (must be 600)
stat -c '%a %n' ~/.ssh/id_* 2>/dev/null
# 644 or 777 = DANGER
✔ SSH keys mode 600. Swap encrypted or zram.

II. Secure application comparison

Recommended applications by category, compared according to current security and privacy criteria in 2026.

BrowserTelemetryVerdict
LibreWolfNone✓ Recommended
Hardened FirefoxDisableable✓ Good
Ungoogled ChromiumNone✓ Acceptable
BravePartial~ Mitigated
Chrome / EdgeMaximal✗ Discouraged
ApplicationStorageVerdict
KeePassXCLocal, encrypted✓ Recommended
BitwardenSelf‑hostable✓ Very good
1PasswordProprietary cloud~ Acceptable
LastPassCloud (breached 2022)✗ Avoid
Browser built‑inCloud sync✗ Insufficient
ApplicationEncryptionVerdict
SignalE2E (Signal protocol)✓ Recommended
Element / MatrixE2E optional✓ Good
TelegramE2E optional only~ Insufficient
WhatsAppE2E (but Meta)✗ Discouraged
DiscordNo E2E✗ Avoid

VPN — protocols & reliability

SolutionProtocolVerdict
WireGuardWireGuard✓ Self‑hosted
MullvadWireGuard✓ Verified no‑log
ProtonVPNWireGuard✓ Good
NordVPN / ExpressVPNWireGuard~ Mitigated
Browser VPNSimple proxy✗ Marketing
ToolTypeUsage2026 Verdict
LynisFull auditHardening score, recommendations✓ Must‑have reference
CrowdSecCollaborative banningModern Fail2ban replacement, behavioural analysis, 60x faster✓ 2026 standard
rkhunterRootkit scannerOn‑demand audit, daily cron✓ Essential
chkrootkitRootkit scannerComplement to rkhunter✓ Good complement
ClamAVAntivirusFile scanning, mail server✓ Useful (mail server)
Fail2banIP banningBrute‑force SSH, services~ Obsolete (prefer CrowdSec)
WazuhSIEM / IDSContinuous monitoring, correlation~ Advanced / enterprise
FalcoRuntime securityBehavioural detection (containers, kernel) – CNCF graduated project✓ Container standard
OpenSCAPComplianceCIS Benchmark / DISA STIG audit✓ Regulatory compliance

III. Lynis score — the automated audit reference

Lynis is the reference tool to obtain a numeric hardening score. It covers in 5 to 10 minutes all the areas of this article and provides prioritised recommendations.

Principle: The Lynis score (Hardening Index) ranges from 0 to 100. It is the fastest way to objectively compare two Linux installations: an OS with a score of 85 is measurably more secure than an OS at 45. 
# ── 1. Install Lynis ──────────────────────────────────────
sudo apt install lynis -y    # Debian / Ubuntu / Mint
sudo dnf install lynis -y    # Fedora / RHEL / AlmaLinux
sudo zypper install lynis    # openSUSE
sudo pacman -S lynis         # Arch / Manjaro

# ── 2. Run the full audit (5-10 min) ───────────────────
sudo lynis audit system

# ── 3. Read the hardening index ─────────────────────────
sudo lynis audit system | grep 'Hardening index'

# ── 4. See priority warnings ────────────────────────────
sudo grep Warning /var/log/lynis.log
sudo grep suggestion /var/log/lynis-report.dat | head -20

# ── 5. Schedule a weekly audit ──────────────────────────
echo "0 3 * * 0 root /usr/bin/lynis audit system > /var/log/lynis-weekly.log 2>&1" \
  | sudo tee /etc/cron.d/lynis-weekly

Interpreting the score and practical limitations

≥ 80 — Hardened (excellent)
85
65–79 — Correct
72
50–64 — Needs improvement
57
30–49 — Vulnerable
40
< 30 — Exposed
22
2026 warning: limits of maximal hardening
Reaching a score > 90 is theoretically possible, but exposes you to documented functional risks.

ParameterRiskRecommendation
kernel.modules_disabled=1Disables kernel modules → USB devices, some external drives become inoperableAvoid on workstations
PAM modifications (pam_faillock, pam_tally2)Incorrect configuration → sudo lockout and admin lockoutUse libpam-pwquality and test before reboot
Practical recommendation: Aim for a score ≥ 80 for a server, ≥ 85 for a workstation without loss of functionality. Above 90, test your system thoroughly before production.
Source: user feedback, February 2026
Going further: The CIS Benchmark audit via OpenSCAP provides a detailed HTML report with each control marked PASS/FAIL. It is the reference used for regulatory audits (PCI-DSS, HIPAA, SOC2). 
# CIS Benchmark audit via OpenSCAP
sudo apt install openscap-scanner scap-security-guide -y

# Run CIS level 1 audit (Ubuntu 24.04)
sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
  --results /tmp/cis-results.xml \
  --report /tmp/cis-report.html \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml

# Open the HTML report
xdg-open /tmp/cis-report.html

IV. 2026 standards: automation, runtime and collective intelligence

Security practices have evolved in 2026. Here are the three pillars that complement classic auditing.

1. CrowdSec: the modern successor to Fail2ban

CrowdSec has become the reference solution for protecting against brute‑force and malicious scans. Written in Go, it is up to 60 times faster than Fail2ban and incorporates collaborative intelligence: when an attacker is detected on one server in the CrowdSec network, the IP is automatically blocked on all other servers in real time.

CriterionCrowdSec (2026)Fail2ban (legacy)
PerformanceGo, up to 60× fasterPython, single‑threaded
CollaborationGlobal threat intelligence networkNone
IPv6NativePartial support
Integrated WAFYes (HTTP bouncers)No
Machine learningBehavioural analysisStatic rules
Quick install (Debian/Ubuntu): 
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
Source: CrowdSec vs Fail2ban benchmark, January 2026

2. Falco – runtime security (CNCF graduated)

In 2026, Falco is the reference runtime security project in the cloud‑native ecosystem. It interfaces directly with the Linux kernel to detect anomalous behaviour in real time: unauthorised process execution, suspicious volume mounts, unexpected network connections, etc.

📦
Downloads
200M+
🏢
Fortune 500
60%
🏆
CNCF
Graduated
Example Falco rule (detecting a shell inside a container): 
- rule: Shell in container
  desc: A shell was launched inside a production container
  condition: container and proc.name in (shell_binaries)
  output: "Shell launched in container (user=%user.name %container.info)"

3. Automating hardening with Ansible (devsec.hardening)

The devsec.hardening collection (formerly ansible-hardening) has become the community reference for applying hardening compliant with CIS and STIG benchmarks. It is actively maintained and supports recent versions.

RoleFunctionStatus
os_hardeningsysctl, file permissions, removal of dangerous packagesActive
ssh_hardeningEd25519 keys, password disabling, root restrictionActive
nginx_hardeningSecure default configurationActive
mysql_hardeningPermissions, passwords, TLSActive
 
# Installation and usage
ansible-galaxy collection install devsec.hardening

# playbook.yml
- hosts: all
  become: true
  collections:
    - devsec.hardening
  roles:
    - devsec.hardening.os_hardening
    - devsec.hardening.ssh_hardening

4. CIS Benchmarks: the compliance standard

CIS Benchmarks have become the essential reference to objectively measure an OS’s security in 2026. More than 171 open source projects on GitHub allow you to audit these benchmarks automatically.

ToolTypeRecommended use
OpenSCAPHTML/XCCDF auditRegulatory compliance (PCI‑DSS, HIPAA)
ProwlerMulti‑cloud environmentAWS/Azure/GCP + Linux audit
Ansible CIS rolesAutomationContinuous application and verification
2026 references:

Conclusion

The 5 most impactful actions: updates, sudo policy, SSH with Ed25519 keys, DROP firewall, SELinux enforcing.
Comparison is objective: a Lynis score ≥ 80 and a CIS audit PASS on critical points concretely define a hardened OS.
2026 standards: replace Fail2ban with CrowdSec, use Falco for containerised environments, and automate your hardening with Ansible devsec.hardening.
Security is a continuous state: schedule rkhunter daily, Lynis weekly, and CrowdSec in real time to avoid regression.

"Linux provides excellent security primitives — and then hands you the controls. What you do with them is entirely up to you."

— SafeITExperts

Find our technical analyses on safeitexperts.com.

About the author

Marc is the lead editor of SafeITExperts, a bilingual (FR/EN) technical blog dedicated to cybersecurity, Linux and digital sovereignty.

NetworkLink
Websitesafeitexperts.com
X (Twitter)@crisisdav
FacebookSafeITExperts
Bluesky@crisis23.bsky.social
Emailsafeitexperts@safeitexperts.com

Share your experience

Your Lynis score before/after applying these checks? Share it in the comments or on social media with #SafeITExperts.

Article updated on March 31, 2026 by Marc — SafeITExperts.
© SafeITExperts — Reproduction allowed with source credit.

Pour être informé des derniers articles, inscrivez vous :

Vous aimerez aussi :

Linux sécurisé par défaut ? Vérifier en 2026
Linux sécurisé par défaut ? Vérifier en 2026
linux kernels 2025 complete analysis
linux kernels 2025 complete analysis
IA dans vos outils bureautiques
IA dans vos outils bureautiques
AI in Your Office Tools
AI in Your Office Tools
Digest Tech Mars 2026
OS Security Panorama 2026: Linux, Windows, macOS, BSD
Commenter cet article

Suivez-moi

Liens

Archives

Nous sommes sociaux !

Articles récents