A simple hardening tool for Linux.
A simple hardening tool that automates basic security configurations for Debian, Ubuntu, Proxmox, and Alpine Linux. The project is stable and in the early stages of development.
The scope of current capabilities and support of Hardn is limited. Regular security audits, updates, and monitoring are still required. hardn should be part of a broader security strategy, not a "set it and forget it" solution. While the binary distributions are SLSA3 and Sigstore compliant, they are not suitable for enterprise deployments.
Anyone managing a privately owned Linux server, container, or virtual machine
- Homelab enthusiasts, Students, Hobbyists
If you are one of the following, refrain from deploying this tool in the public or private sector
- System Administrator
- DevOps Engineer
- SecOps Architect or Analyst
| Feature | Description |
|---|---|
| Tamper Protected Binary | Releases are traceable to their source commit |
| Cryptographic Signature | Binary signed in the public Rekor transparency log |
| SSH Hardening | Secure SSH configuration, key-based authentication |
| User Management | Create non-root users w/sudo access |
| Firewall Configuration | UFW setup w/secure defaults |
| DNS Configuration | Secure DNS setup with specific resolvers |
| System Auditing | Install Lynis for comprehensive analysis |
| Application Control | Install AppArmor for application restrictions |
| Backup System | Automatic backup of modified configuration files |
| Interactive Menu | User-friendly interface for system hardening |
| Dry-Run Mode | Preview changes without applying them |
| Multi-Distribution Support | Works with Debian, Ubuntu, Proxmox, and Alpine |
You can easily install the latest release of hardn using the installation script. The script automatically detects your host operating system and architecture, downloads the correct binary, and installs it to /usr/local/bin.
- curl: Used to download the script and binary.
- sh/bash: To execute the installation script.
- sudo: Required for writing to
/usr/local/bin.
Run the following command in your terminal:
curl -sSL https://raw.githubusercontent.com/abbott/hardn/main/install.sh | sudo shThe script will:
- Detect your operating system (e.g., Debian, Proxmox, Alpine Linux) and CPU architecture.
- Query the GitHub releases API to find the latest asset matching your system (e.g.,
hardn-linux-amd64for 64-bit Linux, etc.). - Download the asset and install it to
/usr/local/binwith executable permissions.
To update hardn to the latest release, simply re-run the installation command:
curl -sSL https://raw.githubusercontent.com/abbott/hardn/main/install.sh | sudo sh-
Visit the GitHub Releases page.
-
Download the asset corresponding to your system (e.g.,
hardn-linux-amd64) (e.g.,curl -LO https://github.com/abbott/hardn/releases/latest/download/hardn-linux-amd64). -
Move the downloaded binary to
/usr/local/binand set executable permissions:# Make executable and move to system path chmod +x hardn-linux-amd64 sudo mv hardn-linux-amd64 /usr/local/bin/hardn # Test installation sudo hardn -h # help
# Clone repository
git clone https://github.com/abbott/hardn.git
cd hardn
# Build
make build
# Example distribution (e.g. AMD64)
GOOS=linux GOARCH=amd64 go build -o build/hardn cmd/hardn/main.go
# Install
sudo make install- Permission Issues: If you encounter permission errors when writing to
/usr/local/bin, ensure youβre running the command withsudo. - Missing curl: If
curlis not installed, use your package manager to install it (e.g.,sudo apt-get install curlon Debian/Ubuntu).
Run hardn without arguments to use the interactive menu for selecting hardening operations:
sudo hardn| Function | Flag | Description |
|---|---|---|
| Config file (string) | -f, --config-file string |
Specify configuration file path |
| Username (string) | -u, --username string |
Specify username to create |
| User (create) | -c, --create-user |
Create non-root user with sudo access |
| Root SSH (disable) | -d, --disable-root |
Disable SSH access for root user |
| DNS (configure) | -g, --configure-dns |
Configure DNS settings |
| UFW (configure) | -w, --configure-ufw |
Configure firewall with SSH rules |
| Run all (execute) | -r, --run-all |
Run all hardening operations |
| Dry run (mode) | -n, --dry-run |
Preview changes without applying them |
| Logs (print) | -p, --print-logs |
View logs |
| Version (print) | -v --version |
View version |
| Help (print) | -h, --help |
View usage information |
CLI Examples
# Run all hardening operations
sudo hardn -r
# Create a non-root user w/SSH access
sudo hardn -u george -c
# Configure firewall
sudo hardn -w
# Enable dry-run mode and preview all operations
sudo hardn -n -r
# Show version information
sudo hardn -vOn first run, hardn will offer to create a default configuration file if no existing config is found. The following YAML configuration file locations are searched in order:
- Path specified with
--configor-fflag - Environment variable
HARDN_CONFIG(if set) /etc/hardn/hardn.yml(system-wide configuration)~/.config/hardn/hardn.yml(XDG Base Directory specification)~/.hardn.yml(traditional dot-file in home directory)./hardn.yml(current working directory)
You can specify a different configuration file with the -f flag or environment variable:
# Using command line flag
sudo hardn -f /path/to/custom-config.yml
# Using environment variable
export HARDN_CONFIG=/path/to/custom-config.yml
sudo hardnExample configuration:
# User Management
username: "george"
sudoNoPassword: true
sshKeys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... george@example.com"
# Network & Security
sshPort: 2208 # Non-standard SSH port (security measure; Default: 22)
dmzSubnet: "192.168.4"
nameservers:
- "1.1.1.1"
- "1.0.0.1"
# Feature Toggles
enableAppArmor: true
enableLynis: true
enableUnattendedUpgrades: true
enableUfwSshPolicy: true
configureDns: true
disableRoot: trueFor a complete list of configuration options, review:
- The example configuration β also located at:
/etc/hardn/hardn.yml.exampleafter initializing the binary (e.g.,sudo hardn). - The Configuration Guide
hardn implements SLSA Level 3 supply chain security for all releases. This provides the following security guarantees:
All releases follow the Supply-chain Levels for Software Artifacts (SLSA) Level 3 requirements, providing:
- Tamper Protection: Each binary is signed and includes a provenance attestation
- Build Integrity: Builds are performed in GitHub's trusted environment
- Source Verification: Binaries are traceable back to their source commit
- Reproducibility: The build process is fully documented in the provenance
In addition to SLSA provenance, all artifacts are signed using Sigstore:
- Cryptographic Verification: Each binary is signed with ephemeral keys
- Transparency Logs: All signatures are recorded in the public Rekor transparency log
- Identity-based Trust: Signatures are tied to GitHub's OIDC identity
- Keyless Verification: No need to manage or distribute public keys
To verify a hardn release with both SLSA provenance and Sigstore signature:
-
Use our verification script:
# Download and run verification script curl -sSL https://raw.githubusercontent.com/abbott/hardn/main/scripts/verify.sh > verify.sh chmod +x verify.sh ./verify.sh v0.3.2 linux-amd64
-
Or verify manually:
# Install verification tools go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.7.0 curl -sSL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o cosign chmod +x cosign sudo mv cosign /usr/local/bin/ # Download the binary and verification files curl -LO https://github.com/abbott/hardn/releases/download/v0.3.2/hardn-linux-amd64 curl -LO https://github.com/abbott/hardn/releases/download/v0.3.2/hardn-linux-amd64.intoto.jsonl curl -LO https://github.com/abbott/hardn/releases/download/v0.3.2/hardn-linux-amd64.sig curl -LO https://github.com/abbott/hardn/releases/download/v0.3.2/hardn-linux-amd64.crt # Verify SLSA provenance slsa-verifier verify-artifact \ --artifact-path hardn-linux-amd64 \ --provenance hardn-linux-amd64.intoto.jsonl \ --source-uri github.com/abbott/hardn \ --source-tag v0.3.2 # Verify Sigstore signature cosign verify-blob \ --certificate hardn-linux-amd64.crt \ --signature hardn-linux-amd64.sig \ --certificate-identity-regexp ".*github.com/workflows/.*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ hardn-linux-amd64
-
Or using our
Makefiletargets:# Install tools make install-verifier make install-cosign # Verify both SLSA and Sigstore make verify-release-full VERSION=0.3.2 OS=linux ARCH=amd64
A successful verification confirms the binary was built by GitHub Actions from the official hardn repository at the specified tag, has a valid signature tied to the GitHub workflow identity, and has not been tampered with since building.
Please review the Contributing Guide prior to submitting a pull request.
- Use the GitHub issue tracker to report bugs
- Provide detailed reproduction steps
- Include your environment details (OS, Go version, etc.)
- For security vulnerabilities, please email
641138+abbott@users.noreply.github.cominstead of creating a public issue.
- Expanded multi-distribution and package management support (Arch, CentOS/RHEL, Fedora)
- Enhanced system integrity dashboard
- Containerized deployment
- Centralized configuration and management for multiple servers
- Extended auditing capabilities
- Web interface for remote administration
- Integration with compliance benchmarks (CIS, STIG)
After manually hardening Debian based containers and VMs for years, I wrote and maintained a local script to automate the essentials by way of a config and command line arguments. Within a year, a CLI menu was bolted on and the codebase needed to be refactored to ensure maintainability, so I landed on Go, and decided to publish the tool. Enjoy! π₯
This project builds upon:
- Cobra for CLI functionality
- Viper for configuration management
- yaml.v3 for YAML parsing
- color for terminal color support
Special thanks to the Linux security community (experts & enthusiasts) for the wisdom and knowledge over the years.
This project is licensed under the GNU AGPL v3 License - see the LICENSE file for details.