Operating System Security Hardening Checker
Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.
Best use case
Operating System Security Hardening Checker is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.
Teams using Operating System Security Hardening Checker should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-os-validator/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Operating System Security Hardening Checker Compares
| Feature / Agent | Operating System Security Hardening Checker | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
## Purpose & When-To-Use
**Trigger conditions:**
- Operating system hardening validation before production deployment
- CIS benchmark compliance requirement
- OS patch management audit
- Post-incident OS security review
- Host security configuration assessment
**Not for:**
- Real-time OS threat detection (use EDR/host IDS tools)
- OS performance optimization (use performance monitoring tools)
- Cloud infrastructure security (use security-cloud-analyzer)
- Container security (use security-container-validator)
---
## Pre-Checks
**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates
**Input validation:**
- `os_platform` must be one of: [linux, windows, both]
- `os_distribution` must be one of: [ubuntu, rhel, centos, debian, windows-server] or omitted
- `cis_level` must be one of: [1, 2] (Level 1=basic, Level 2=comprehensive)
**Source freshness:**
- CIS Benchmarks (Linux, Windows) (accessed 2025-10-26T01:33:55-04:00): https://www.cisecurity.org/cis-benchmarks
- NIST SP 800-53 Rev 5 (CM, SI families) (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
---
## Procedure
### Step 1: Critical OS Hardening Controls Check
**Patch Management:**
1. OS patches current (within 30 days of release)
2. Security patches prioritized over feature updates
3. Patch management process documented
4. Critical vulnerabilities patched within 7 days
**Kernel Hardening (Linux):**
1. SELinux or AppArmor enabled and enforcing
2. Kernel modules restricted (no unnecessary modules loaded)
3. Core dumps disabled for security
4. Address Space Layout Randomization (ASLR) enabled
**Host-Based Firewall:**
1. Firewall active (iptables, nftables, Windows Firewall)
2. Default-deny policy
3. Only necessary ports open
4. Firewall rules documented
**Services and Processes:**
1. Unnecessary services disabled (per CIS Benchmark, accessed 2025-10-26T01:33:55-04:00)
2. No legacy protocols enabled (Telnet, FTP, rsh)
3. Secure SSH configuration (no root login, key-based auth)
**File Integrity Monitoring:**
1. File integrity monitoring tool installed (AIDE, Tripwire, Samhain)
2. Critical system files monitored
3. Regular integrity checks scheduled
### Step 2: CIS Benchmark Compliance Scoring
For each CIS control assessed:
- Calculate compliance score: (passed controls / total controls) * 100
- Prioritize Level 1 controls (basic hardening)
- Include Level 2 controls if `cis_level=2` (defense-in-depth)
**Token budgets:**
- **T1:** ≤2k tokens (critical OS hardening controls)
- **T2:** ≤6k tokens (full CIS benchmark audit)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)
---
## Decision Rules
**Ambiguity thresholds:**
- If OS distribution unknown → use generic Linux or Windows CIS baseline
- If patch date unavailable → flag as unknown risk
**Abort conditions:**
- No OS platform specified → cannot proceed
- No OS access or configuration files → limited to documentation review
**Severity classification:**
- Critical: Unpatched critical CVEs, SELinux/AppArmor disabled (CVSS 9.0-10.0)
- High: Patches >30 days old, firewall disabled (CVSS 7.0-8.9)
- Medium: Unnecessary services, weak SSH config (CVSS 4.0-6.9)
- Low: Documentation gaps, CIS Level 2 deviations (CVSS 0.1-3.9)
---
## Output Contract
**Required fields:**
```json
{
"os_platform": "linux|windows|both",
"os_distribution": "ubuntu|rhel|centos|debian|windows-server or null",
"cis_level": "1|2",
"timestamp": "ISO-8601 with timezone",
"findings": [
{
"id": "unique identifier",
"category": "patching|kernel|firewall|services|fim",
"severity": "critical|high|medium|low",
"cvss_score": 0.0,
"title": "brief description",
"description": "detailed finding",
"cis_control": "CIS Benchmark control ID",
"nist_control": "SP 800-53 control (e.g., CM-7, SI-2)",
"remediation": "specific fix steps",
"remediation_command": "shell command or script"
}
],
"cis_compliance_score": 0.0,
"summary": {
"total_findings": 0,
"critical_count": 0,
"high_count": 0,
"overall_risk": "critical|high|medium|low"
}
}
```
---
## Examples
**Example: Linux Hardening Check**
```yaml
# Input
os_platform: "linux"
os_distribution: "ubuntu"
cis_level: "1"
# Output (abbreviated)
{
"os_platform": "linux",
"os_distribution": "ubuntu",
"findings": [
{
"id": "OS-001",
"category": "kernel",
"severity": "high",
"cvss_score": 7.8,
"title": "AppArmor not enabled",
"cis_control": "CIS Ubuntu 1.6.1",
"remediation_command": "systemctl enable apparmor && systemctl start apparmor"
}
],
"cis_compliance_score": 72.5,
"summary": {"high_count": 1, "overall_risk": "high"}
}
```
---
## Quality Gates
**Token budgets:**
- T1 ≤2k tokens (critical OS hardening controls)
- T2 ≤6k tokens (full CIS benchmark audit)
**Safety:**
- No system credentials in remediation commands
- No actual hostnames in examples
**Auditability:**
- Findings cite CIS Benchmark and NIST SP 800-53 controls
- Patch recommendations align with vendor advisories
**Determinism:**
- Same OS state + inputs = consistent findings
---
## Resources
**CIS Benchmarks:**
- CIS Benchmarks (all OS): https://www.cisecurity.org/cis-benchmarks (accessed 2025-10-26T01:33:55-04:00)
- CIS Ubuntu Benchmark: https://www.cisecurity.org/benchmark/ubuntu_linux (accessed 2025-10-26T01:33:55-04:00)
- CIS RHEL Benchmark: https://www.cisecurity.org/benchmark/red_hat_linux (accessed 2025-10-26T01:33:55-04:00)
- CIS Windows Server Benchmark: https://www.cisecurity.org/benchmark/microsoft_windows_server (accessed 2025-10-26T01:33:55-04:00)
**NIST Standards:**
- NIST SP 800-53 Rev 5 (CM, SI families): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (accessed 2025-10-26T01:33:55-04:00)
**Hardening Guides:**
- SELinux Documentation: https://www.redhat.com/en/topics/linux/what-is-selinux (accessed 2025-10-26T01:33:55-04:00)
- AppArmor Documentation: https://ubuntu.com/server/docs/security-apparmor (accessed 2025-10-26T01:33:55-04:00)Related Skills
Software Supply Chain Security Validator
Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.
Network Security Architecture Validator
Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.
IAM Security Reviewer
Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.
Cryptographic Security Validator
Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.
Container Security Checker
Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.
Cloud Security Posture Analyzer
Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.
Security Assessment Orchestrator
Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.
Application Security Validator
Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.
UX Design System Validator
Validate design systems for accessibility (WCAG), responsive design, and component consistency with design token analysis.
UX Wireframe Designer
Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation
TypeScript Tooling Specialist
Generate TypeScript/JavaScript project scaffolding with npm/pnpm/yarn, Jest/Vitest, ESLint/Prettier, and bundling (Vite/Rollup/esbuild).
Python Tooling Specialist
Generate Python project scaffolding with Poetry/pipenv, pytest configuration, type hints (mypy), linting (ruff/black), and packaging (setuptools/flit).