security-hardening

# Security Hardening

## Purpose

Proactive reduction of attack surface across infrastructure layers through systematic configuration hardening, least-privilege enforcement, and automated security controls. Applies industry-standard CIS Benchmarks and zero-trust principles to operating systems, containers, cloud configurations, networks, and databases.

## When to Use This Skill

Invoke this skill when:
- Hardening production infrastructure before deployment
- Meeting compliance requirements (SOC 2, PCI-DSS, HIPAA, FedRAMP)
- Implementing zero-trust security architecture
- Reducing container or cloud misconfiguration risks
- Preparing for security audits or penetration tests
- Automating security baseline enforcement
- Responding to vulnerability scan findings

## Hardening Layers

Security hardening applies across five infrastructure layers:

### Layer 1: Operating System (Linux)
- Kernel parameter tuning (sysctl)
- SSH configuration hardening
- User and group management
- File system permissions and mount options
- Service minimization
- SELinux/AppArmor enforcement

### Layer 2: Container
- Minimal base images (Chainguard, Distroless, Alpine)
- Non-root container execution
- Read-only root filesystems
- Seccomp and AppArmor profiles
- Resource limits and capabilities dropping
- Pod Security Standards enforcement

### Layer 3: Cloud Configuration
- IAM least privilege and MFA enforcement
- Network security groups and NACL configuration
- Encryption at rest and in transit
- Public access blocking
- Logging and monitoring enablement
- CSPM (Cloud Security Posture Management) integration

### Layer 4: Network
- Default-deny network policies
- Network segmentation and micro-segmentation
- TLS/mTLS enforcement
- Firewall rule minimization
- DNS security (DNSSEC, DNS filtering)

### Layer 5: Database
- Authentication and authorization hardening
- Connection encryption (SSL/TLS)
- Audit logging enablement
- Network isolation and access control
- Role-based permissions wi