
SELinux/AppArmor, CIS benchmarks and encryption: production Linux gets armored by policy, not by luck.
Secure Linux isn't the one without viruses: it's the one hardened by policy. SELinux (or AppArmor) in enforcing — the compromised process stays in its cage — the CIS baselines applied and measured (OpenSCAP), the encryption (LUKS) on the data, SSH cut to the bone, and the CVEs prioritized by real exposure, not by headline.


SELinux switched on with method (audit, tuning, then enforcing): the security that doesn't break the application.
OpenSCAP scheduled on the estate: the compliance report that guides the remediations.
The CVE on the exposed service before the one on the inert package: intelligent patching.
granular sudo, rotated keys, tracked sessions: who does what, always written down.
Linux security is built in layers: SELinux/AppArmor confine the processes (the compromised web server doesn't read /etc/shadow), auditd records the relevant syscalls (the evidence for the forensics), the CIS/STIG baselines get applied and measured with OpenSCAP (the compliance report generated, not declared), fapolicyd does the executables' allowlisting, SSH gets armored (keys, MFA, no root), the kernel gets tuned (sysctl, lockdown); the secret is the automation: the baseline in Ansible, the drift measured.
Web and APIs with the SELinux cage active.
The baselines with the evidence, generated by the process.
Serious hardening after (or better: before) the lesson.