This document explains how to configure hardn, the simple hardening tool for Linux.
hardn searches for a YAML configuration file in the following order:
- Path specified with
--configor-fflag - Environment variable
HARDN_CONFIG(if set) /etc/hardn/hardn.yml(system-wide configuration)~/.config/hardn/hardn.yml(XDG Base Directory specification)~/.hardn.yml(traditional dot-file in home directory)
You can create a configuration file in several ways:
On first run, hardn will offer to create a default configuration file interactively if no existing config is found.
Copy the example configuration and customize it:
# For system-wide configuration (as root)
sudo mkdir -p /etc/hardn
sudo cp /etc/hardn/hardn.yml.example /etc/hardn/hardn.yml
sudo nano /etc/hardn/hardn.yml
# For user configuration
mkdir -p ~/.config/hardn
cp /etc/hardn/hardn.yml.example ~/.config/hardn/hardn.yml
nano ~/.config/hardn/hardn.ymlIf no configuration file exists and you decline, hardn will create one at /etc/hardn/hardn.yml with default values.
You can set the HARDN_CONFIG environment variable to specify a configuration file location. This is particularly useful in automation scripts or when you want to maintain multiple configurations.
When using sudo, environment variables are typically not preserved. To preserve the HARDN_CONFIG environment variable when using sudo, use the setup-sudo-env command which does the following:
- Create a file in
/etc/sudoers.d/for your user - Add a configuration line to preserve the
HARDN_CONFIGenvironment variable - Set the correct permissions on the file
# Set up sudo to preserve HARDN_CONFIG (only needs to be done once)
sudo hardn setup-sudo-env
# Set your preferred config location for your current session
export HARDN_CONFIG=$HOME/.config/hardn/hardn.yml
# Run with sudo - the environment variable will be preserved
sudo hardnTo make configuration persist across reboots and new shell sessions, add it to your shell's startup file by issuing the following command for your respective shell:
# For persistent configuration, add to your shell profile
echo 'export HARDN_CONFIG=$HOME/.config/hardn/hardn.yml' >> ~/.bashrc
# Reload the file to apply the changes
source ~/.bashrc echo 'export HARDN_CONFIG=$HOME/.config/hardn/hardn.yml' >> ~/.zshrc
# Reload the file to apply the changes
source ~/.zshrcset -Ux HARDN_CONFIG $HOME/.config/hardn/hardn.ymlIf the environment variable is unavailable, restart your terminal.
You can specify a different configuration file with the -f flag or environment variable:
# Using command line flag
sudo hardn -f /path/to/custom-config.ymlFor a complete list of configuration options, see the example configuration file at /etc/hardn/hardn.yml.example.
Here are the main configuration sections in YAML:
username: "george" # Default username to create
logFile: "/var/log/hardn.log" # Log file path
dryRun: false # Preview changes without applying them
enableBackups: true # Backup files before modifying them
backupPath: "/var/backups/hardn" # Path to store backupsdmzSubnet: "192.168.4" # DMZ subnet for conditional package installation
nameservers: # DNS servers to configure
- "1.1.1.1"
- "1.0.0.1"sshPort: 22 # SSH port (this is the authoritative SSH port used throughout the configuration)
# Consider using a non-standard port (e.g., 2208) as a security measure
permitRootLogin: false # Allow or deny root SSH access
sshAllowedUsers: # List of users allowed to access via SSH
- "george"
sshListenAddress: "0.0.0.0" # IP address to listen on
sshKeyPath: ".ssh_%u" # Path to SSH keys (%u = username)
sshConfigFile: "/etc/ssh/sshd_config.d/hardn.conf" # SSH config file locationImportant: The sshPort setting is the single source of truth for SSH port configuration throughout the application.
Hardn will automatically set an SSH policy with your configured port.
enableAppArmor: false # Set up and enable AppArmor
enableLynis: false # Install and run Lynis security audit
enableUnattendedUpgrades: false # Configure automatic security updates
enableUfwSshPolicy: false # Configure UFW with SSH rules
configureDns: false # Configure DNS settings
disableRoot: false # Disable root SSH accessHardn uses UFW application profiles to configure the firewall. These profiles are written to /etc/ufw/applications.d/hardn and provide a flexible way to define firewall rules.
ufwAppProfiles:
- name: LabHTTPS
title: Lab Web Server (HTTPS)
description: Lab Web server secure port
ports:
- "30443/tcp" # non-standard 443Each profile has these fields:
name: Unique identifier for the profile (used in UFW commands)title: User-friendly titledescription: Description of the serviceports: List of ports in the format "port/protocol" (e.g., "30443/tcp")
The default incoming policy is always set to "deny" and the default outgoing policy to "allow" for security.
-
System Hardening: For production servers, enable all security features:
enableAppArmor: true enableLynis: true enableUnattendedUpgrades: true enableUfwSshPolicy: true configureDns: true disableRoot: true
-
Development Environment: For testing, you may want to use:
dryRun: true enableBackups: true
-
SSH Security: Always use key-based authentication:
sshPort: 2208 # Non-standard SSH port (security measure; Default: 22) permitRootLogin: false sshKeys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... george@example.com"
- Keep your configuration file secure with appropriate permissions (0644 or more restrictive)
- For portable use, maintain configurations in a secure location and explicitly reference them with
--configorHARDN_CONFIG - Regularly review and update your configuration
- Use version control for tracking configuration changes
- For multi-server deployments, consider using a configuration management tool to distribute configurations
- Run
hardnwith--dry-runto preview changes without applying them - Check the log file (default:
/var/log/hardn.log) for detailed information - If you encounter issues, create a backup of your configuration before making changes