New The 2026 Continuous Validation Methodology Paper is now available. Read the paper →
Reference · 8 Defensive Operations & Governance

Host & Network Hardening.

Linux operator hardening, TCP/IP operational notes for detection engineers, AD defense from the defender's perspective, and data-center host hardening where physical access intersects vendor patches.

Linux operator hygiene

  • Account discipline.
    • No shared interactive accounts; one human → one account → one SSH key.
    • Service accounts: no password, no shell, only sshd ForceCommand or systemd-managed.
    • sudo over su; per-command grants in /etc/sudoers.d/, not blanket ALL.
    • SSH key rotation: enrollment via central CA (SSH certificates with TTL) instead of authorized_keys files.
    • Disable root SSH login (PermitRootLogin no), disable password auth (PasswordAuthentication no).
  • Package supply chain.
    • Signed package enforcement: gpgcheck=1 + repo_gpgcheck=1 on yum/dnf; apt-secure defaults intact.
    • No untrusted repositories; mirror trusted upstream into internal repo with signed metadata.
    • For containers: image-signing (cosign/Notation) + admission policy that rejects unsigned.
    • SBOM generation on every build (syft, trivy); diff against last build at gate.
  • Kernel surface tightening.
    • sysctl kernel.kptr_restrict=2, kernel.dmesg_restrict=1, kernel.yama.ptrace_scope=2.
    • Module loading: kernel.modules_disabled=1 after boot if dynamic loading not needed.
    • AppArmor/SELinux in enforcing mode for daemons.
    • auditd rules for module-load, executable-mmap-from-tmp, sensitive file access.
    • IMA / dm-verity for boot-time integrity on appliance-style hosts.

TCP/IP notes for detection engineers

  • Scanner handshake telltales.
    • nmap SYN scan: RST returned on closed; no RST seen on open (SYN-ACK followed by RST from scanner).
    • masscan: extremely high source-port rotation, no kernel state, SYN-only.
    • zmap: similar, distinctive IP-ID = 54321 by default.
  • Fragmentation evasion. IDS that doesn't reassemble misses fragmented signatures. Modern Suricata/Zeek reassemble. Watch for tiny first fragment with header-truncating offsets.
  • State-table sizing. Conntrack limits (net.netfilter.nf_conntrack_max) — exhaustion drops new connections. Hash size nf_conntrack_buckets = max/4. Tune for actual peak concurrent flows.
  • Timeout choices.
    • TCP established: 5 days default; reduce to 1 day if memory pressured.
    • UDP: 30 sec default; per-flow long-running UDP needs increase.
  • JA3/JA4 fingerprinting. Hash of TLS ClientHello fields. Same client software = same fingerprint regardless of source IP. Powerful detection axis for stuffer traffic.

AD defense — companion to AD pentest reference

  • Kerberoasting detection. Event 4769 with TGS request for SPN of user account using RC4 (eType=0x17). Alert on volume to a single user.
  • AS-REP roasting. Disable "Do not require Kerberos preauthentication" attribute on all accounts. Alert on 4768 AS-REQ where Preauth=0.
  • DCSync detection. Event 4662 with Properties containing 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes). Filter known replication accounts.
  • Golden ticket detection. 4624 with LogonType=3, NetworkInfo blank fields. Mimikatz-style PAC anomalies. Pre-built rule in Defender for Identity, Microsoft DART playbooks.
  • Constrained-delegation abuse. Audit msDS-AllowedToDelegateTo changes (event 5136). Inventory and remove unconstrained delegation everywhere possible.
  • Tier 0 isolation. Domain controllers, AD admins, PKI — own dedicated tier with no shared workstations, no shared service accounts, separate jump hosts.
  • LAPS. Local-admin-password solution. Random per-host, rotated, retrievable only by authorized accounts. Kills pass-the-hash lateral.
  • Credential Guard / RDP Restricted Admin. Prevents NTLM/Kerberos credential exposure on jump hosts.

Data-center host hardening

  • Firmware / BMC. iLO, iDRAC, IPMI on management VLAN, not on production. Default credentials changed. Firmware patched on documented cadence; vendor advisories monitored.
  • Secure boot + measured boot. TPM-backed where supported. PCR values monitored; drift = possible firmware tamper.
  • Physical access. Bezel locks, cage / cabinet access logs, tamper-evident seals on chassis. Console (serial / KVM) access via auditable terminal server, not directly.
  • Disk encryption. LUKS (Linux) / BitLocker (Windows) with TPM-bound key. Mitigates drive-pull theft. Doesn't mitigate online compromise.
  • Out-of-band update path. Plan for "we need to patch but can't go through normal change window" — physical or BMC console.
Rule of thumbFor most enterprises, the biggest hardening ROI is "LAPS + tier-0 isolation + Credential Guard" on the Windows side and "SSH CA + sudoers per-command + auditd module-load" on the Linux side. Everything else is incremental on top of those four.

Related notes in this domain

From reference to evidence

Run this against your own environment.