Skip to content
/ linux-core-security Public

Linux hardening best practices with Docker, automated patching, ASLR, AppArmor, and continuous security monitoring

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vladyslav-panchenko280/linux-core-security

BranchesTags

Repository files navigation

Linux Core Security

Production-ready Linux hardening with Docker, automated patching, and continuous monitoring.

Features

  • Kernel hardening (ASLR, exploit protection, memory access control)
  • AppArmor mandatory access control
  • Automated security patching with rollback support
  • File integrity monitoring (AIDE)
  • Comprehensive audit logging
  • Prometheus/Grafana monitoring stack
  • Container vulnerability scanning (Trivy)

Quick Start

# Clone and start
git clone https://github.com/your-org/linux-core-security.git
cd linux-core-security
docker-compose up -d

Structure

configs/          # Security configurations (sysctl, apparmor, auditd, aide)
scripts/          # Automation scripts (patching, scanning, auditing)
systemd/          # Service and timer units
monitoring/       # Prometheus and Grafana configs
docs/             # Documentation

Core Components

Component Purpose
sysctl.d/99-security.conf Kernel hardening parameters
apparmor.d/ Mandatory access control profiles
auditd/audit.rules System call auditing
auto-patch.sh Automated security updates
security-scan.sh Vulnerability scanning

Usage

# Run security scan
sudo ./scripts/security-scan.sh

# Run security audit
sudo ./scripts/security-audit.sh

# Check update compatibility
sudo ./scripts/compatibility-check.sh

# Apply kernel hardening
sudo ./scripts/kernel-hardening.sh

Systemd Timers

Timer Schedule Purpose
auto-patch.timer Daily 03:00 Security updates
security-scan.timer Daily 02:00 Vulnerability scan
integrity-check.timer Daily 04:00 File integrity check

Web Interfaces

Service URL Credentials
Grafana http://localhost:3000 admin / admin123
Prometheus http://localhost:9090 -
Trivy Server http://localhost:8080 -

Working with Containers

Access the secure Linux container:

docker exec -it secure-linux bash

Run security audit inside container:

docker exec -u root secure-linux /opt/security/scripts/security-audit.sh

Check kernel hardening status:

docker exec -u root secure-linux /opt/security/scripts/kernel-hardening.sh verify

View container logs:

docker-compose logs -f secure-linux

Scanning Images with Trivy

Check Trivy server status:

curl http://localhost:8080/healthz
curl http://localhost:8080/version

Scan a Docker image using Trivy CLI with server:

docker run --rm --network linux-core-security_security-net \
  aquasec/trivy image --server http://trivy:8080 ubuntu:24.04

Scan the secure-linux image:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy image linux-core-security-secure-linux:latest

Quick standalone scan:

docker run --rm aquasec/trivy image alpine:latest

Monitoring and Alerts

View Prometheus metrics:

# Check targets status
curl http://localhost:9090/api/v1/targets

# Query specific metric
curl 'http://localhost:9090/api/v1/query?query=up'

Grafana dashboards:

  1. Open http://localhost:3000
  2. Login with admin/admin123
  3. Import dashboards from monitoring/grafana-dashboards/

Documentation

Requirements

  • Docker 24.x+
  • Docker Compose 2.x+
  • Ubuntu 24.04 LTS or Debian 12 (for host)

License

MIT

About

Linux hardening best practices with Docker, automated patching, ASLR, AppArmor, and continuous security monitoring

Topics

linux docker security devops grafana prometheus auditd apparmor aslr devsecops vulnerability-scanning automated-patching

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages