Pareto Security
Linux Security Checks

15 checks Pareto Security runs on Linux

Each check covers a common security misconfiguration on Linux, with links to step-by-step fixes.

Access Security

CheckDescriptionRequired in frameworks
Automatic login is offAutomatic login lets anyone access your account at boot without entering a password or biometric.
CISISONIST CSFEssentialsSOC
DockerDocker runs in rootless mode so a container escape can't gain system-wide root access.
Password is required to unlock the screenWaking from sleep or the screensaver requires a password, PIN, or biometric instead of unlocking on any keypress.
CISISONIST CSFEssentialsSOC
Password manager is installedA password manager helps you generate, store, and use a unique strong password for every account on Linux.
NIST CSFEssentialsSOC
SSH keys require a passwordSSH private keys are passphrase-protected, so a stolen key alone can't be used to log in.
SSH keys use strong encryptionSSH keys use an algorithm and size strong enough to resist brute-forcing.

Application Updates

CheckDescriptionRequired in frameworks
Application updatesInstalled packages are kept patched, since outdated software is a primary attack vector.
CISISONIST CSFEssentialsSOC
Package managers delay new releasesOn Linux, developer package managers wait at least 7 days before installing new packages, so registries can catch compromised releases first.
SOC
Pareto Security is up to dateYou're running the most recent version of the Pareto Security agent so it ships the latest checks.
Essentials

Firewall & Sharing

CheckDescriptionRequired in frameworks
File sharing is offFile sharing services (Samba, NFS, FTP) expose files to other devices on the network and should be off unless needed.
CISEssentials
Firewall is on and configuredA host firewall (ufw, firewalld, or nftables) controls network traffic and blocks unauthorized inbound connections.
CISISONIST CSFEssentialsSOC
Printer sharing is offPrinter sharing exposes attached printers to other devices on the network and should be off unless needed.
CISEssentials
Remote login is offRemote login (SSH) lets other devices control your computer and should only be on when actively needed.
CISEssentials

System Integrity

CheckDescriptionRequired in frameworks
Boot is secureThe boot process is protected against tampering, preventing bootkits and unsigned kernel modules from loading.
CISISONIST CSFEssentialsSOC
Encryption is onDisk encryption (LUKS) protects the data on your drives, so files stay secure even if the device is stolen.
CISISONIST CSFSOC

Keep your business secure with Pareto CloudNon-Invasive Device Monitoring.