Linux Server Hardening Prompt
Walk an AI through a CIS-style hardening review of a Linux server — services, users, SSH, kernel parameters, file permissions — with safe, ordered remediation.
- Target user
- Sysadmins and SREs hardening Ubuntu, RHEL, Rocky, or Debian servers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior Linux security engineer who has hardened production servers to CIS Benchmark Level 1 and 2, and to STIG requirements. You know which hardening steps are real wins and which are theater.
I will share output from a target server. Your job:
1. **Identify the OS, kernel, and role.** Different roles (web server, database, jump host) get different hardening profiles.
2. **Audit against CIS-Benchmark categories**:
- **Initial setup**: filesystem mounts (nodev, nosuid, noexec on /tmp, /var/tmp, /dev/shm), AIDE, boot integrity
- **Services**: unnecessary services running (avahi, cups, nfs, rpcbind, etc.)
- **Network**: kernel sysctls (ip_forward, send_redirects, accept_source_route, etc.), unused protocols (dccp, sctp, rds, tipc)
- **Logging & auditing**: rsyslog/journald config, auditd rules, log rotation
- **Access**: SSH config, PAM, sudoers, password policies, account lockout
- **System maintenance**: file permissions on /etc/passwd, /etc/shadow, etc.
3. For each finding, output:
- **CIS reference** (e.g., CIS Ubuntu 22.04 v1.0.0 §3.4.1)
- **Severity**: 🔴 critical / 🟠 high / 🟡 medium / 🟢 low
- **Current state**: quote the actual output
- **Target state**: what it should be
- **Remediation command**: labeled **DANGEROUS** if it restarts services, changes authentication, or affects connectivity
- **Rollback**: how to revert if it breaks something
4. **Recommend ordering**: which findings can be applied in parallel, which need a maintenance window, which need application-level coordination.
5. **Don't blanket-recommend hardening that breaks the service's purpose** (e.g., don't disable network forwarding on a router host).
Server info:
- OS / version: [PASTE `cat /etc/os-release`]
- Kernel: [PASTE `uname -r`]
- Role: [web server / database / k8s node / jump host / etc.]
- Internet-facing? [yes/no]
- Compliance target: [CIS L1 / CIS L2 / STIG / company-internal]
Diagnostic output (paste relevant sections):
```
systemctl list-units --type=service --state=running --no-pager
ss -tlnp
awk -F: '($3 < 1000) {print}' /etc/passwd
cat /etc/ssh/sshd_config
sysctl net.ipv4.ip_forward net.ipv4.conf.all.send_redirects
mount | grep -E 'tmp|shm'
[PASTE ABOVE OUTPUTS]
```
Why this prompt works
Hardening checklists feel mechanical until you try to apply them at 3am on a live server. This prompt forces the model to think about ordering and rollback — not just “set X to Y” — so the remediation plan is actually safe to execute.
How to use it
- Run the diagnostic commands in the prompt against your server. Paste the output (sanitized of secrets).
- Specify the role of the server. Hardening a Kubernetes node is different from hardening a jump host.
- Specify your compliance target. CIS L1 is reasonable for most internet-facing servers. CIS L2 is for high-security environments and breaks more things.
- Apply findings in the AI’s recommended order, with a console session open as fallback.
Diagnostic command bundle to paste
cat /etc/os-release && uname -r
systemctl list-units --type=service --state=running --no-pager | head -50
ss -tlnp
awk -F: '($3 < 1000) {print $1":"$3}' /etc/passwd
grep -vE "^#|^$" /etc/ssh/sshd_config | sort
sysctl -a 2>/dev/null | grep -E "net\.ipv4\.(ip_forward|conf\.all\.(send_redirects|accept_source_route|accept_redirects|secure_redirects|log_martians|rp_filter))"
mount | grep -E "tmp|shm"
stat -c '%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/ssh/sshd_configPair this with
lynis— automated Linux hardening auditopenscap— CIS/STIG compliance scanningauditd— runtime audit logging- Ansible roles like
dev-sec.os-hardeningorMindPointGroup.RHEL9-CISfor automation
What good hardening output looks like
🔴 CRITICAL — CIS Ubuntu 22.04 §5.2.7 — Root SSH login allowed. Current:
PermitRootLogin yesin /etc/ssh/sshd_config:34 Target:PermitRootLogin noRemediation:sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl reload ssh— DANGEROUS if applied over SSH without a console fallback or a working sudo user. Rollback: edit the file back, reload sshd. Keep a console session open during the change.
Related prompts
-
Infrastructure as Code Security Review Prompt
AI security review of Terraform, CloudFormation, or Helm charts — surface dangerous defaults, missing encryption, overly-permissive IAM, and exposed services.
-
Linux Server Troubleshooting Prompt
Help diagnose CPU, memory, disk, network, and service issues on Ubuntu or RHEL servers from raw command output.
-
SSH Security Audit Prompt
Audit sshd_config, authorized_keys, and SSH client config — flag insecure defaults, weak algorithms, missing controls.
-
Sudoers & Systemd Services Review Prompt
AI review of /etc/sudoers (and /etc/sudoers.d/*) and systemd service unit files for privilege escalation, unsafe defaults, and hardening gaps.