System-Security

Goal Understand why system hardening matters and master the foundational principles of defense-in-depth security. Learn how attackers exploit unhardened systems and how layered defenses contain breaches. Prerequisites: Weeks 1-10 (especially Week 5 SSH hardening, Week 9 physical security) This is Part 1 of 4 - Subsequent parts cover MAC systems, kernel hardening, and sandboxing. 1. Why System Hardening Matters The Attacker’s Advantage Without hardening: Single vulnerability → Full system compromise Example attack chain: ...

Goal Understand the difference between traditional Linux permissions (DAC) and Mandatory Access Control systems (AppArmor/SELinux). Learn to audit your system’s security posture using Lynis and systematically fix vulnerabilities. Prerequisites: Week 11a (Hardening Foundations) This is Part 2 of 4 - Covers MAC concepts and security auditing. 1. Understanding Mandatory Access Control (MAC) What is MAC vs DAC? DAC (Discretionary Access Control) - Traditional Linux: Owner decides who can access their files Example: You create secret.txt, you decide who can read it Problem: Malware running as your user inherits ALL your permissions Weakness: If Firefox is exploited, attacker gets access to everything you own MAC (Mandatory Access Control) - AppArmor/SELinux: ...

Goal Learn to harden the Linux kernel using sysctl parameters and implement AppArmor profiles to confine applications. These are the core technical controls that limit what attackers can do even after gaining code execution. Prerequisites: Week 11b (MAC Systems & Security Auditing) This is Part 3 of 4 - Covers kernel hardening and AppArmor implementation. 1. Kernel Hardening with sysctl What is Kernel Hardening? The Linux kernel has hundreds of tuneable parameters that affect security. Kernel hardening means configuring these parameters to: ...

Goal Master Firejail for application sandboxing and understand when to use each hardening tool. Complete hands-on labs and establish a continuous hardening practice. Prerequisites: Week 11c (Kernel Hardening & AppArmor) This is Part 4 of 4 - Covers Firejail sandboxing and the decision framework. 1. Firejail for Application Sandboxing What is Firejail? Firejail creates isolated sandboxes for applications using Linux namespaces: Filesystem isolation - Restrict access to specific directories Network isolation - Block or restrict network access Process isolation - Limit system calls (seccomp) Resource limits - Restrict CPU, memory usage Why use Firejail: ...