Reduces attack surface across OS, container, cloud, network, and database layers using CIS Benchmarks and zero-trust principles...
Proactive reduction of attack surface across infrastructure layers through systematic configuration hardening, least-privilege enforcement, and automated security controls. Applies industry-standard CIS Benchmarks and zero-trust principles to operating systems, containers, cloud configurations, networks, and databases.
Invoke this skill when:
Security hardening applies across five infrastructure layers:
Start with all access denied, explicitly permit only required operations. Apply default-deny firewall rules and network policies, then allow specific traffic.
Grant minimum permissions required for operation. Use RBAC, IAM policies with specific resources, and database roles with limited permissions (no DELETE or DDL unless required).
Implement multiple overlapping security controls: network firewalls, authentication, authorization, audit logging, and encryption working together.
Remove unnecessary components, services, and permissions. Use minimal container base images, disable unused services, and drop all Linux capabilities unless required.
On error or misconfiguration, default to secure state. Authentication failures deny access, missing configurations use restrictive defaults, and monitoring failures trigger immediate alerts.
Prioritize hardening efforts based on exposure and data sensitivity:
Apply immediately:
Tools: Trivy, Falco, ModSecurity, Cloudflare
Apply before production:
Tools: Checkov, Prowler, Lynis, OpenSCAP
Apply systematically:
Tools: Ansible, Puppet, kube-bench, docker-bench-security
CIS (Center for Internet Security) Benchmarks provide industry-standard hardening guidance.
Docker CIS Benchmark:
docker run --rm -it \
--net host \
--pid host \
--cap-add audit_control \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /etc:/etc:ro \
docker/docker-bench-security
Kubernetes CIS Benchmark:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job/kube-bench
Linux CIS Benchmark:
# Using Lynis
lynis audit system --quick
# Using OpenSCAP
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml
| CIS Control | Hardening Action | Layer |
|---|---|---|
| 4.1 Secure Configuration | Apply hardening baselines | All layers |
| 5.1 Account Management | Enforce least privilege, MFA | OS, Cloud |
| 6.1 Access Control | RBAC, network policies | All layers |
| 8.1 Audit Log Management | Enable comprehensive logging | All layers |
| 13.1 Network Monitoring | Deploy IDS/IPS, flow logs | Network |
| 3.1 Data Protection | Enable encryption at rest/transit | Cloud, Database |
For detailed CIS control mapping, see references/cis-benchmark-mapping.md.
Choose base images based on security requirements and compatibility needs:
| Use Case | Recommended Base | Size | CVEs | Trade-off |
|---|---|---|---|---|
| Production apps | Chainguard Images | ~10MB | 0 | Minimal, zero CVEs |
| Minimal Linux | Alpine | ~5MB | Few | Small, auditable |
| Compatibility | Distroless | ~20MB | Few | No shell, harder debug |
| Debugging | Debian slim | ~80MB | More | Has debugging tools |
| Legacy apps | Ubuntu | ~100MB | Many | Full compatibility |
Production recommendation: Chainguard Images or Distroless for production, Alpine for development.
Hardening must be verified continuously, not just at implementation.
Container vulnerability scanning:
# Trivy: Comprehensive vulnerability and misconfiguration scanner
trivy image --severity HIGH,CRITICAL myapp:latest
# Grype: Fast vulnerability scanner
grype myapp:latest
Infrastructure as Code scanning:
# Checkov: Multi-cloud IaC scanner
checkov -d terraform/ --framework terraform
# Terrascan: Policy-as-code scanner
terrascan scan -t terraform -d terraform/
Kubernetes security scanning:
# Kubesec: Security risk analysis
kubesec scan k8s/deployment.yaml
# Polaris: Configuration validation
polaris audit --format=pretty
# Trivy K8s scanning
trivy k8s --report summary cluster
Cloud security posture:
# Prowler: AWS security assessment
prowler aws --services s3 iam ec2
# ScoutSuite: Multi-cloud security audit
scout aws --services s3 iam ec2
Integrate security scanning into CI/CD:
# GitHub Actions example
name: Security Hardening Verification
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * *' # Daily scan
jobs:
container-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:test .
- name: Scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:test'
severity: 'CRITICAL,HIGH'
exit-code: '1' # Fail on findings
iac-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan IaC with Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
framework: terraform
soft_fail: false
Generate compliance reports from scan results:
# Generate CIS compliance report
kube-bench run --json > cis-report.json
# Generate vulnerability report
trivy image --format json --output vuln-report.json myapp:latest
# Aggregate reports for compliance dashboard
python scripts/generate-compliance-report.py \
--cis cis-report.json \
--vulns vuln-report.json \
--output compliance-dashboard.html
# Edit /etc/ssh/sshd_config.d/hardening.conf
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
MaxAuthTries 3
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
# Restart SSH
systemctl restart sshd
# Use minimal base
FROM cgr.dev/chainguard/python:latest
# Non-root user
USER nonroot
# Read-only filesystem
COPY --chown=nonroot:nonroot app /app
WORKDIR /app
# Drop all capabilities
ENTRYPOINT ["python", "-m", "app"]
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resource "aws_s3_bucket_public_access_block" "secure" {
bucket = aws_s3_bucket.data.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
bucket = aws_s3_bucket.data.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
# Kubernetes NetworkPolicy: deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
-- PostgreSQL hardening
REVOKE ALL ON DATABASE app FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM PUBLIC;
CREATE ROLE app_user WITH LOGIN;
GRANT CONNECT ON DATABASE app TO app_user;
GRANT SELECT, INSERT, UPDATE ON app.orders TO app_user;
-- Force SSL connections
ALTER SYSTEM SET ssl = on;
-- In pg_hba.conf: hostssl all all 0.0.0.0/0 scram-sha-256
For layer-specific hardening guidance:
references/linux-hardening.mdreferences/container-hardening.mdreferences/cloud-hardening.mdreferences/network-hardening.mdreferences/database-hardening.mdFor automation scripts:
scripts/harden-linux.pyscripts/harden-container-host.shscripts/generate-compliance-report.pyscripts/scan-infrastructure.shFor working examples:
examples/linux/examples/kubernetes/examples/terraform/❌ Hardening only at deployment
❌ Applying all controls blindly
❌ No verification
❌ Security through obscurity
❌ Hardening without testing
❌ Manual hardening at scale
For step-by-step implementation, start with references/linux-hardening.md or references/container-hardening.md based on infrastructure type.
