Security Hardening
Protecting Linux systems and containers through kernel-level security.
Overview
Section titled “Overview”Security isn’t just firewalls—it’s defense in depth. This section covers the Linux security mechanisms that protect containers and hosts: kernel tuning, mandatory access controls (AppArmor, SELinux), and system call filtering (seccomp).
Modules
Section titled “Modules”| # | Module | Description | Time |
|---|---|---|---|
| 4.1 | Kernel Hardening & sysctl | Network stack, memory protection, kernel parameters | 25-30 min |
| 4.2 | AppArmor Profiles | Mandatory access control, profile modes, K8s integration | 30-35 min |
| 4.3 | SELinux Contexts | Policies, contexts, enforcing mode, troubleshooting | 35-40 min |
| 4.4 | seccomp Profiles | System call filtering, custom profiles | 25-30 min |
Why This Section Matters
Section titled “Why This Section Matters”Linux security features are directly used by Kubernetes:
- sysctl — Node hardening, network security
- AppArmor — Pod security profiles (Ubuntu/Debian)
- SELinux — Pod security profiles (RHEL/CentOS)
- seccomp — System call filtering for containers
CKS (Certified Kubernetes Security Specialist) specifically tests these topics.
Prerequisites
Section titled “Prerequisites”- Container Primitives — Especially capabilities & LSMs
- Networking — For network hardening
Key Takeaways
Section titled “Key Takeaways”After completing this section, you’ll understand:
- How to harden Linux kernels via sysctl
- How AppArmor profiles restrict application behavior
- How SELinux provides mandatory access control
- How seccomp filters dangerous system calls
Related Sections
Section titled “Related Sections”- Previous: Networking
- Next: Operations/Performance
- CKS: Directly tested in System Hardening domain