{"id":167945,"date":"2026-05-23T18:30:53","date_gmt":"2026-05-23T15:30:53","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=167945"},"modified":"2026-05-24T00:34:44","modified_gmt":"2026-05-23T21:34:44","slug":"security-hardening-fedora","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/security-hardening-fedora\/","title":{"rendered":"Harden Fedora 44 \/ 43 \/ 42 for Desktop and Server: Complete Guide"},"content":{"rendered":"\n

A fresh Fedora 44 install ships in better security posture than most Linux distributions. SELinux is enforcing, firewalld blocks anything that no service exposes, the kernel ships with stack canaries and KASLR, the package keys chain to Fedora’s PGP trust, and the new RPM 6.0 transaction format ships in F44 with stronger digest verification. None of that is the same as “hardened”. A vanilla F44 cloud image scored 74.66 out of 100 on the CIS Level 1 Server benchmark<\/strong> when we ran oscap xccdf eval<\/code> against it for this guide. 176 rules passed; 120 failed. The same box passes more than 200 of those rules once the changes in this guide land. That gap is the difference between “Fedora defaults” and “production-ready Fedora”, and it is what this guide closes for both desktop workstations and servers.<\/p>\n\n\n\n

The previous version of this article touched the surface (sysctl, SSH, faillock, AIDE, mask a few services) and stopped. That left out the things that matter most in 2026: compliance-grade measurement with OpenSCAP and the CIS Fedora benchmarks, account framework hardening via authselect<\/code>, full PAM password-quality policy, sudo I\/O logging, kernel command-line lockdown, kernel module signing enforcement, USB device authorization with USBGuard, NTS-secured time, DNS-over-TLS, browser sandboxing via Flatpak, NetworkManager MAC randomization for desktops, persistent and forwarded journald logging, comprehensive audit rules, and a periodic audit cadence. This rewrite walks every one of those, captures real before-and-after output on two Fedora 44 lab boxes (one server profile, one desktop profile), and flags the gotchas that turn a hardening session into a lockout. Same commands work on Fedora 43 and Fedora 42 because the underlying tooling (selinux-policy, scap-security-guide, authselect, audit, USBGuard, firewalld) is identical across the three releases.<\/p>\n\n\n\n

Pick a posture: workstation, server, or compliance baseline<\/h2>\n\n\n\n

Hardening choices depend on what the box will do. Picking a posture up front prevents the “I disabled the wrong thing” cycle later. The three F44-relevant postures and what each rules out:<\/p>\n\n\n\n

Posture<\/th>Use it for<\/th>What it rules out<\/th><\/tr><\/thead>
Workstation<\/strong><\/td>Daily-driver laptop, dev box, single-user desktop<\/td>Aggressive service masking (kills GNOME\/KDE features), net.ipv4.icmp_echo_ignore_all=1<\/code> (breaks captive portal detection), requiretty<\/code> in sudo (breaks GUI askpass)<\/td><\/tr>
Server<\/strong><\/td>Headless host, container engine, reverse proxy, database<\/td>USBGuard (no USB devices to manage), NetworkManager MAC randomization, browser sandbox tweaks<\/td><\/tr>
Compliance baseline (CIS L1 \/ PCI-DSS \/ STIG)<\/strong><\/td>Anything that has to pass an external audit<\/td>Manual sysctl tweaks (the SCAP remediation script handles them); your own opinions about defaults (the profile wins)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Most readers want a mix: workstation defaults plus a few server-grade controls (faillock, AIDE, audit rules) for paranoia, or server defaults plus a compliance scan to confirm. The sections below are written so you can pick which to apply. The exception is the measurement section, which everyone should run first.<\/p>\n\n\n\n

Measure first: OpenSCAP, Lynis, and systemd-analyze<\/h2>\n\n\n\n

Hardening without measurement is theatre. Three tools cover the measurement angles you need: OpenSCAP for compliance-framework scoring (CIS, PCI-DSS, OSPP, ANSSI), Lynis for general security-posture suggestions, and systemd-analyze security<\/code> for per-service attack-surface scoring. Install all three plus the supporting packages:<\/p>\n\n\n\n

sudo dnf5 install -y lynis aide audit fail2ban \\\n                     openscap-scanner scap-security-guide \\\n                     policycoreutils-python-utils setroubleshoot-server \\\n                     usbguard<\/code><\/pre>\n\n\n
The scap-security-guide<\/code> package is what makes the rest work: it ships compiled XCCDF datastreams for every supported OS plus the SCAP profiles you can scan against. Inspect what profiles are available for Fedora:<\/p>\n\n\n
sudo oscap info \/usr\/share\/xml\/scap\/ssg\/content\/ssg-fedora-ds.xml | head -25<\/code><\/pre>\n\n\n
On Fedora 44 with scap-security-guide 0.1.80 you get eight named profiles:<\/p>\n\n\n
\"oscap<\/figure>\n\n\n
For a server, start with cis_server_l1<\/code>; for a workstation, cusp_fedora<\/code> or cis_workstation_l1<\/code>; for payment-processing or audit-ready environments, pci-dss<\/code>. Run a baseline scan and write the HTML report and machine-readable XML to disk:<\/p>\n\n\n
sudo oscap xccdf eval \\\n  --profile xccdf_org.ssgproject.content_profile_cis_server_l1 \\\n  --report \/tmp\/oscap-baseline.html \\\n  --results \/tmp\/oscap-baseline.xml \\\n  \/usr\/share\/xml\/scap\/ssg\/content\/ssg-fedora-ds.xml<\/code><\/pre>\n\n\n
The scan takes 60-120 seconds on a 2-vCPU box. While it runs it streams each rule to stdout; afterwards you have a colour-coded HTML report you can open in a browser and an XML you can re-process. Get the score and pass\/fail counts directly from the XML:<\/p>\n\n\n
sudo grep -oE \"]*>[^<]+<\/score>\" \/tmp\/oscap-baseline.xml\nsudo grep -oE \"(pass|fail|notapplicable|notselected)<\/result>\" \\\n  \/tmp\/oscap-baseline.xml | sort | uniq -c<\/code><\/pre>\n\n\n
On a vanilla F44 cloud image the score is around 74.66<\/strong>, with 176 passes, 120 fails, 27 N\/A, and a much larger pool of rules outside this profile:<\/p>\n\n\n
\"OpenSCAP<\/figure>\n\n\n
The HTML report at \/tmp\/oscap-baseline.html<\/code> is the authoritative reference for which rules failed and what the remediation is. Each failure links to the exact remediation snippet (bash, Ansible, or Kubernetes manifest) the SCAP project ships for it. Lynis gives a complementary general-purpose audit:<\/p>\n\n\n
sudo lynis audit system | grep -E \"Hardening index|Warnings|Suggestions\"<\/code><\/pre>\n\n\n
Lynis baseline on the same image: hardening index 68, 3 warnings, 34 suggestions. For service-level scoring:<\/p>\n\n\n
systemd-analyze security --no-pager | head -15<\/code><\/pre>\n\n\n
Each service shows an exposure score from 0 (sandboxed) to 10 (running as root unconfined). Most stock daemons sit above 7. The combined picture (CIS score + Lynis index + systemd-analyze) is your benchmark; every change in this guide should move at least one of those numbers in the right direction.<\/p>\n
Authentication and account safety<\/h2>\n
Fedora has used authselect<\/code> to manage the PAM stack since F28; the current profile on a fresh F44 install is local<\/code> with default features. Switch to the sssd<\/code> profile with the hardening features turned on. with-faillock<\/code> wires pam_faillock<\/code> into the auth stack, with-mkhomedir<\/code> auto-creates home directories for AD\/LDAP users on first login:<\/p>\n\n\n
sudo authselect select sssd with-faillock with-mkhomedir --force\nsudo authselect current\nsudo authselect check<\/code><\/pre>\n\n\n
The output confirms the profile and lists the enabled features:<\/p>\n\n\n
\"authselect<\/figure>\n\n\n
authselect check<\/code> returns “Current configuration is valid” on success; any drift in \/etc\/pam.d\/*<\/code> from manual edits is reported here. List the full feature catalog with sudo authselect list-features sssd<\/code>; relevant extras include with-fingerprint<\/code> for laptop fingerprint readers, with-pamaccess<\/code> for per-user host restrictions via \/etc\/security\/access.conf<\/code>, and without-nullok<\/code> to reject empty passwords (the CIS profile flags this).<\/p>\n
Tune the faillock policy in \/etc\/security\/faillock.conf<\/code>. The defaults are too loose for production (15 failures, 600s lockout). Five attempts within 15 minutes locks for 15 minutes, with audit logging of the failure events:<\/p>\n\n\n
sudo tee \/etc\/security\/faillock.conf > \/dev\/null <<'EOF'\ndeny = 5\nunlock_time = 900\nfail_interval = 900\nsilent\naudit\nEOF<\/code><\/pre>\n\n\n
The silent<\/code> directive prevents leaking which accounts exist; audit<\/code> writes lock events to \/var\/log\/audit\/audit.log<\/code>. Test by intentionally failing twice from another shell, then inspect:<\/p>\n\n\n
sudo faillock<\/code><\/pre>\n\n\n
Output lists every user with a failure count, the timestamp, and the source. To clear a locked user: sudo faillock --user username --reset<\/code>. Pair faillock with strong password quality. pwquality<\/code> is already loaded by the sssd<\/code> authselect profile; drop a config file with sane thresholds:<\/p>\n\n\n
sudo mkdir -p \/etc\/security\/pwquality.conf.d\nsudo tee \/etc\/security\/pwquality.conf.d\/cfg-hardening.conf > \/dev\/null <<'EOF'\nminlen = 14\nminclass = 4\nmaxrepeat = 3\nmaxclassrepeat = 4\nucredit = -1\nlcredit = -1\ndcredit = -1\nocredit = -1\ndifok = 8\nenforcing = 1\nenforce_for_root\nEOF<\/code><\/pre>\n\n\n
14 minimum length, four character classes (upper, lower, digit, symbol), no more than three identical characters in a row, root included. PAM picks up the change at the next password change; existing passwords are not retroactively forced to comply. The enforce_for_root<\/code> directive is the most-missed line; without it, root can still set a weak password.<\/p>\n
Sudo I\/O logging and timeout<\/h3>\n
Sudo’s default config logs the command but not stdin\/stdout. For incident investigation, full I\/O capture is invaluable. Drop a sudoers file with full logging plus a shorter cred timeout. Critical gotcha:<\/strong> do NOT include requiretty<\/code> on a server you administer over SSH. We tested this and it cleanly locked out every ssh user@host 'sudo ...'<\/code> command pattern; requiretty<\/code> is the kind of “looks more secure on paper” setting that ships breakage and was officially deprecated by the sudo project. use_pty<\/code> alone gives you the audit trail without the SSH breakage:<\/p>\n\n\n
sudo tee \/etc\/sudoers.d\/50-cfg-logging > \/dev\/null <<'EOF'\nDefaults    log_input, log_output\nDefaults    iolog_dir=\"\/var\/log\/sudo-io\/%{user}\"\nDefaults    log_subcmds, log_exit_status\nDefaults    use_pty\nDefaults    timestamp_timeout=5\nEOF\nsudo visudo -c -f \/etc\/sudoers.d\/50-cfg-logging<\/code><\/pre>\n\n\n
The visudo -c<\/code> dry-run is mandatory; a syntax error in sudoers can disable all sudo until console rescue. After the change, sudo cat \/etc\/sudoers<\/code> records both the command and its output under \/var\/log\/sudo-io\/<\/code>. Replay a session with sudo sudoreplay TS_ID<\/code>.<\/p>\n
Lock down su, root SSH, and the wheel group<\/h3>\n
Three settings that take seconds and matter for years. Restrict su<\/code> to wheel members only (Fedora ships this commented out by default):<\/p>\n\n\n
sudo sed -i 's\/^#\\(auth.*pam_wheel.so use_uid\\)\/\\1\/' \/etc\/pam.d\/su\ngrep pam_wheel \/etc\/pam.d\/su<\/code><\/pre>\n\n\n
Lock the root account from direct console password login if every admin has a sudoer account (the safer pattern):<\/p>\n\n\n
sudo passwd -l root\nsudo passwd -S root<\/code><\/pre>\n\n\n
The status line should read root LK<\/code>. To unlock for emergency console access: sudo passwd -u root<\/code>. The PermitRootLogin no<\/code> in SSH (below) covers the network angle; locking the password covers physical and emergency console.<\/p>\n
Kernel and sysctl hardening<\/h2>\n
A tuned sysctl<\/code> drop-in is the single biggest one-shot improvement on a stock install. The set below combines the Red Hat security hardening guide for RHEL 10, the Fedora workstation CUSP profile, and the privacyguides.org reference, with the desktop-breaking exceptions called out. Write to \/etc\/sysctl.d\/99-cfg-hardening.conf<\/code>:<\/p>\n\n\n
sudo vi \/etc\/sysctl.d\/99-cfg-hardening.conf<\/code><\/pre>\n\n\n
Paste:<\/p>\n\n\n
# === Network ===\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_rfc1337 = 1\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\nnet.ipv6.conf.all.use_tempaddr = 2\nnet.ipv6.conf.default.use_tempaddr = 2\n\n# === Kernel ===\nkernel.kptr_restrict = 2\nkernel.dmesg_restrict = 1\nkernel.printk = 3 3 3 3\nkernel.unprivileged_bpf_disabled = 1\nnet.core.bpf_jit_harden = 2\nkernel.kexec_load_disabled = 1\nkernel.yama.ptrace_scope = 1\nkernel.sysrq = 4\nkernel.perf_event_paranoid = 3\nkernel.core_pattern = |\/bin\/false\nvm.unprivileged_userfaultfd = 0\n\n# === Filesystem ===\nfs.protected_fifos = 2\nfs.protected_regular = 2\nfs.protected_symlinks = 1\nfs.protected_hardlinks = 1\nfs.suid_dumpable = 0\nEOF<\/code><\/pre>\n\n\n
Apply and verify with explicit reads of the most consequential keys:<\/p>\n\n\n
sudo sysctl -p \/etc\/sysctl.d\/99-cfg-hardening.conf\nsudo sysctl kernel.kptr_restrict kernel.yama.ptrace_scope \\\n            kernel.unprivileged_bpf_disabled fs.protected_fifos<\/code><\/pre>\n\n\n
On the F44 lab box every key reports its new value (kernel.kptr_restrict = 2<\/code>, kernel.yama.ptrace_scope = 1<\/code>, etc.). Important side effects to know before you ship this to a workstation:<\/p>\n