Linux Security Checks
15 checks Pareto Security runs on Linux
Each check covers a common security misconfiguration on Linux, with links to step-by-step fixes.
Access Security
| Check | Description | Required in frameworks |
|---|---|---|
| Automatic login is off | Automatic login lets anyone access your account at boot without entering a password or biometric. | CIS ISO NIST CSF Essentials SOC |
| Docker | Docker runs in rootless mode so a container escape can't gain system-wide root access. | |
| Password is required to unlock the screen | Waking from sleep or the screensaver requires a password, PIN, or biometric instead of unlocking on any keypress. | CIS ISO NIST CSF Essentials SOC |
| Password manager is installed | A password manager helps you generate, store, and use a unique strong password for every account. | NIST CSF Essentials SOC |
| SSH keys require a password | SSH private keys are passphrase-protected, so a stolen key alone can't be used to log in. | |
| SSH keys use strong encryption | SSH keys use an algorithm and size strong enough to resist brute-forcing. | |
Application Updates
| Check | Description | Required in frameworks |
|---|---|---|
| Application updates | Installed packages are kept patched, since outdated software is a primary attack vector. | CIS ISO NIST CSF Essentials SOC |
| Package managers delay new releases | Developer package managers wait at least 7 days before installing newly published packages, giving registries time to detect compromised releases. | SOC |
| Pareto Security is up to date | You're running the most recent version of the Pareto Security agent so it ships the latest checks. | Essentials |
Firewall & Sharing
| Check | Description | Required in frameworks |
|---|---|---|
| File sharing is off | File sharing services (Samba, NFS, FTP) expose files to other devices on the network and should be off unless needed. | CIS Essentials |
| Firewall is on and configured | A host firewall (ufw, firewalld, or nftables) controls network traffic and blocks unauthorized inbound connections. | CIS ISO NIST CSF Essentials SOC |
| Printer sharing is off | Printer sharing exposes attached printers to other devices on the network and should be off unless needed. | CIS Essentials |
| Remote login is off | Remote login (SSH) lets other devices control your computer and should only be on when actively needed. | CIS Essentials |
System Integrity
| Check | Description | Required in frameworks |
|---|---|---|
| Boot is secure | The boot process is protected against tampering, preventing bootkits and unsigned kernel modules from loading. | CIS ISO NIST CSF Essentials SOC |
| Encryption is on | Disk encryption (LUKS) protects the data on your drives, so files stay secure even if the device is stolen. | CIS ISO NIST CSF SOC |