Skip to content
Indus LeveL
Linux Hardening GCP Security Compliance

Enterprise Linux Hardening for Financial Applications on GCP

A comprehensive checklist and guide to hardening Linux VMs on GCP for strict compliance and security in financial applications.

2 min read
Enterprise Linux Hardening for Financial Applications on GCP

When running financial applications in the cloud, securing the underlying operating system is as critical as securing the network and application layers. Financial environments often require compliance with strict standards like PCI-DSS or SOC2, which mandate rigorous OS-level hardening.

In this post, I will share the practical checklist and commands I used to harden Enterprise Linux VMs running on Google Cloud Platform (GCP) for financial workloads.


1. Kernel Sysctl & Network Hardening

This step sets strict ptrace restrictions, hides kernel pointers, disables core dumps, restricts unprivileged BPF and io_uring, and locks down network routing to prevent spoofing and unauthorized forwarding.

Hardening Command:

sudo bash -c 'cat > /etc/sysctl.d/99-enterprise-security.conf <<EOF
kernel.yama.ptrace_scope = 3
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.sysrq = 0
kernel.randomize_va_space = 2
kernel.perf_event_paranoid = 2
kernel.unprivileged_bpf_disabled = 1
kernel.io_uring_disabled = 1
fs.suid_dumpable = 0
kernel.panic_on_oops = 1
kernel.kexec_load_disabled = 1
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
EOF'
sudo sysctl --system

Verification Command:

sudo sysctl kernel.yama.ptrace_scope kernel.kptr_restrict kernel.dmesg_restrict fs.suid_dumpable kernel.randomize_va_space kernel.perf_event_paranoid kernel.unprivileged_bpf_disabled kernel.io_uring_disabled kernel.panic_on_oops kernel.modules_disabled kernel.kexec_load_disabled

Revert Command:

sudo rm -f /etc/sysctl.d/99-enterprise-security.conf

2. Disable Core Dumps

Core dumps can write the memory contents of a crashed process to disk. In a financial application, this memory may contain sensitive secrets or PII. Disabling core dumps prevents this data leakage.

Hardening Command:

sudo bash -c 'cat > /etc/security/limits.d/99-no-coredumps.conf <<EOF
* hard core 0
* soft core 0
root hard core 0
root soft core 0
EOF'
sudo mkdir -p /etc/systemd/coredump.conf.d
sudo bash -c 'cat > /etc/systemd/coredump.conf.d/disable.conf <<EOF
[Coredump]
Storage=none
ProcessSizeMax=0
EOF'
sudo systemctl daemon-reload
sudo systemctl restart systemd-coredump 2>/dev/null || true

Verification Command:

ulimit -c -H
ulimit -c -S
cat /etc/systemd/coredump.conf.d/disable.conf

Revert Command:

sudo rm -f /etc/security/limits.d/99-no-coredumps.conf
sudo rm -f /etc/systemd/coredump.conf.d/disable.conf
sudo systemctl daemon-reload
sudo systemctl restart systemd-coredump 2>/dev/null || true

3. /proc Visibility (hidepid)

Hiding process information from unprivileged users prevents local attackers from discovering other running processes on the system. We whitelist the GCP Ops Agent so it can continue to collect metrics.

Hardening Command:

sudo cp /etc/fstab /etc/fstab.bak
sudo groupadd -r proc 2>/dev/null || true
sudo usermod -a -G proc google-cloud-ops-agent 2>/dev/null || true
grep -q "hidepid" /etc/fstab || echo "proc /proc proc defaults,hidepid=2,gid=proc 0 0" | sudo tee -a /etc/fstab
sudo mount -o remount /proc
systemctl daemon-reload

Verification Command:

findmnt /proc

Revert Command:

sudo cp /etc/fstab.bak /etc/fstab
sudo mount -o remount /proc

4. Secure Filesystem Mounts (/tmp)

Mounting temporary directories as tmpfs with the nodev, nosuid, and noexec options prevents attackers from executing malware scripts downloaded to these world-writable locations.

Hardening Command:

grep -q "tmpfs /tmp" /etc/fstab || echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,mode=1777 0 0" | sudo tee -a /etc/fstab
grep -q "tmpfs /var/tmp" /etc/fstab || echo "tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,mode=1777 0 0" | sudo tee -a /etc/fstab
sudo mount /tmp 2>/dev/null || true
sudo mount /var/tmp 2>/dev/null || true

Verification Command:

findmnt /tmp
findmnt /var/tmp

Revert Command:

sudo cp /etc/fstab.bak /etc/fstab
sudo umount /tmp 2>/dev/null || true
sudo umount /var/tmp 2>/dev/null || true

5. Kernel Module Lock

To prevent attackers from loading malicious kernel modules (rootkits) after the system has booted, we lock down module loading via a systemd service that runs after multi-user.target is reached.

Hardening Command:

sudo bash -c 'cat > /etc/systemd/system/disable-kernel-modules.service <<EOF
[Unit]
Description=Disable kernel module loading after boot
After=multi-user.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/sysctl -w kernel.modules_disabled=1
[Install]
WantedBy=multi-user.target
EOF'
sudo systemctl enable disable-kernel-modules.service
sudo systemctl start disable-kernel-modules.service

Verification Command:

sudo modprobe dummy

(This should fail if modules are successfully disabled).

Revert Command:

sudo systemctl stop disable-kernel-modules.service
sudo systemctl disable disable-kernel-modules.service
sudo rm -f /etc/systemd/system/disable-kernel-modules.service
sudo systemctl daemon-reload

6. SSH Hardening

We enforce strict SSH settings to disable password authentication and root login, while ensuring that GCP IAP (Identity-Aware Proxy) tunneling still functions correctly for secure access.

Hardening Command:

sudo bash -c 'cat > /etc/ssh/sshd_config.d/99-hardening.conf <<EOF
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitEmptyPasswords no
X11Forwarding no
AllowTcpForwarding yes
AllowAgentForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
LoginGraceTime 30
EOF'
sudo sshd -t && sudo systemctl reload ssh

Verification Command:

sudo sshd -T | grep -E 'permitrootlogin|passwordauthentication|permitemptypasswords|x11forwarding|allowtcpforwarding'

Revert Command:

sudo rm -f /etc/ssh/sshd_config.d/99-hardening.conf
sudo sshd -t && sudo systemctl reload ssh

7. AppArmor & Auditd

We ensure AppArmor is active to enforce security profiles, and install auditd to monitor critical system files and track modifications to passwords or security configurations.

Hardening Command:

sudo apt-get update && sudo apt-get install -y apparmor-utils apparmor-profiles auditd audispd-plugins

Verification Command:

sudo aa-status
sudo systemctl status auditd --no-pager
sudo auditctl -l

Revert Command:

sudo rm -f /etc/audit/rules.d/99-security.rules
sudo augenrules --load

8. Final System Unlock (Reboot)

Rollback Reboot Command:

sudo reboot

This guide provides a starting baseline. Depending on your specific workload and regulatory demands, you may need to layer additional controls like SELinux, file integrity monitoring (FIM), or centralized logging.

Back to Blog
Share:

Follow along

Stay in the loop — new articles, thoughts, and updates.