In computer technology, hardening is understood to mean increasing the security of a system by using only dedicated software that is necessary for the operation of the system and whose correct operation can be guaranteed from a security perspective. The system should be better protected against attacks.
The Federal Office for Information Security called hardening in the IT security "[...] the removal of all software components and features that are not absolutely necessary for the fulfillment of the action planned by the program." .
The aim is to create a system that can be used by many, even less trustworthy people. For example, there is the hardened project for Gentoo Linux, which compiles a kernel version and other system services with which a secure Linux system can also be made available to third-party users.
In practice, the goals of hardening measures have emerged:
- the reduction of the possibilities for exploiting vulnerabilities
- the minimization of possible attack methods
- the limitation of the tools available to an attacker after a successful attack
- the minimization of the privileges available to an attacker after a successful attack
- increasing the likelihood of a successful attack being discovered
A possible reduction in the complexity and maintenance effort of the system can also be seen as a secondary objective of the hardening , which can lead to greater controllability and thus a minimization of administration errors.
Common methods of hardening are for example:
- Removal or deactivation of software components that are not absolutely necessary for operation
- Use of unprivileged user accounts to execute server processes
- Adjustment of file system rights and their inheritance
- Using chroot or other jails to run software
- Use of Mandatory Access Control
- Use of encryption , e.g. B. for data transmission
- Use of software that is as error-free as possible and without known vulnerabilities
An operating system can be described as a "hardened system":
- When address ranges for program libraries ( ASLR ) and programs (PIE) are randomly assigned in virtual memory. ASLR can only be implemented by the manufacturer of these libraries at the time of creation, not afterwards during operation.
- In which only the components and services are installed that are required for actual operation
- All unnecessary user accounts are deleted
- All unneeded ports are closed
- Restrictive rights are set
- Strict system guidelines are assigned
Hardening measures are to be viewed separately from other security measures such as patch cycles, the introduction of antivirus solutions , firewalls or IDS / IPS , which represent complementary methods of prevention.
- Claudia Eckert: IT Security: Concepts - Procedures - Protocols , 8th edition 2013, p. 181 ( excerpt from Google Books )
- IT Security Guide, BSI, 2012
- The Gentoo hardened project documentation overview