Harden an Ubuntu 22.04 Server Using Lynis & SELinux

#From Vanilla Ubuntu to Fortress: A Full Hardening Walkthrough#link

This capstone tasks you with hardening a fresh Ubuntu 22.04 LTS server using Lynis as a guide and enabling SELinux (or AppArmor) in enforcing mode. You'll apply kernel hardening, sudo restrictions, automated patching, and auditd. By the end, Lynis should report a high hardening index and minimal warnings.

Lab Objectives

Start from a base Ubuntu 22.04 server. Run Lynis to get a baseline score. Then incrementally harden: update all packages, set up unattended-upgrades, configure ufw (or iptables), harden SSH, restrict su/sudo, apply kernel sysctl parameters, and enable AppArmor or SELinux. After each step, re-run Lynis to see improvement.

The output points you to immediate weaknesses. Address them and watch the index climb.

# Example: Apply kernel hardening parameters
sudo tee -a /etc/sysctl.d/99-hardening.conf << EOF
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 0
EOF
sudo sysctl --system

SELinux / AppArmor Enforcement

Ubuntu defaults to AppArmor. Ensure it is in enforce mode for all profiles: aa-enforce /etc/apparmor.d/*. Alternatively, if you want to tackle SELinux, install it (selinux-basics, selinux-policy-default), set to enforcing, and relabel filesystem. This is a challenging but rewarding step. Verify with getenforce.

Deliverables

Submit your final Lynis report showing the hardening index (target >80), a summary of changes made, and a short write-up of any warnings you chose not to fix and why. Include any scripts you wrote.

• ▪Start with Lynis audit and record baseline.
• ▪Iteratively harden based on Lynis warnings; re-audit after each change.
• ▪Achieve enforcing MAC (AppArmor or SELinux) for critical services.
• ▪Document your hardening steps and final justification.