Linux & Open Source · Software · YoctoIT tech page

Sicurezza Linux

SELinux/AppArmor, CIS benchmarks and encryption: production Linux gets armored by policy, not by luck.

FOCUS · THE ARMORED PENGUINMAC active, CIS baselines and fast patches: Linux security as a measurable process
YoctoIT material for clients and partners · Linux is a trademark of Linus Torvalds; the distributions and products mentioned are trademarks of their respective owners.
01 · What it is

Sicurezza — SELinux & hardening, made clear.

Secure Linux isn't the one without viruses: it's the one hardened by policy. SELinux (or AppArmor) in enforcing — the compromised process stays in its cage — the CIS baselines applied and measured (OpenSCAP), the encryption (LUKS) on the data, SSH cut to the bone, and the CVEs prioritized by real exposure, not by headline.

Enforcing
SELinux truly active: the exploit confined by the policy
CIS
the baselines applied and MEASURED: the gap visible, remediated
MFA+key
SSH without passwords, with a second verification: the front door, armored
Sicurezza — SELinux & hardening
OFFICIAL LINUX BRANDING · LINUX SECURITY
INTERFACCIA REALE · SCAP WORKBENCH · FONTE: OPENSCAP
REAL INTERFACE · SCAP WORKBENCH · SOURCE: OPENSCAP
02 · How to use it well

The things that make the difference.

The layers

Applications & datawhat must be defended
MAC (SELinux)
CIS hardening
Encryption & accesses
the cage · the base · the keys
OpenSCAP · the measurethe compliance with numbers
Prioritized patchesthe right CVEs, first
The defense that proves itself

Enforcing without pain

SELinux switched on with method (audit, tuning, then enforcing): the security that doesn't break the application.

The scan that governs

OpenSCAP scheduled on the estate: the compliance report that guides the remediations.

Priority by exposure

The CVE on the exposed service before the one on the inert package: intelligent patching.

Accesses worthy of 2026

granular sudo, rotated keys, tracked sessions: who does what, always written down.

03 · In depth

Hardening: SELinux, auditd and the baseline

Linux security is built in layers: SELinux/AppArmor confine the processes (the compromised web server doesn't read /etc/shadow), auditd records the relevant syscalls (the evidence for the forensics), the CIS/STIG baselines get applied and measured with OpenSCAP (the compliance report generated, not declared), fapolicyd does the executables' allowlisting, SSH gets armored (keys, MFA, no root), the kernel gets tuned (sysctl, lockdown); the secret is the automation: the baseline in Ansible, the drift measured.

  • SELinux enforcing — the process in the pen: the exploit that doesn't spread
  • OpenSCAP — CIS/STIG measured: the automatic compliance report
  • auditd — the syscalls tracked: who touched what, with the proof
  • fapolicyd — only the approved executables run: the malware left dry
  • SSH hardening — keys+MFA, root closed: the front door armored
  • Baseline as code — the hardening in Ansible: the same everywhere, measured always
04 · Numbers and lifecycle

The numbers that matter.

100%
of the systems measurable with OpenSCAP
CIS L1/L2
the profiles applied by criticality
0
direct root logins: total traceability
NIS2
the hardening with evidence: the requirement covered
Real hardening is repeatable: baselines, scans and remediations in automation — the compliance that proves itself.
05 · Use cases

Where it really pays off.

Exposed servers

Web and APIs with the SELinux cage active.

NIS2 compliance

The baselines with the evidence, generated by the process.

Post-incident

Serious hardening after (or better: before) the lesson.

Linux is secure if someone hardens it: policy, measurement and patches — our daily triptych.