When running financial applications in the cloud, securing the underlying operating system is as critical as securing the network and application layers. Financial environments often require compliance with strict standards like PCI-DSS or SOC2, which mandate rigorous OS-level hardening.
In this post, I will share the practical checklist and commands I used to harden Enterprise Linux VMs running on Google Cloud Platform (GCP) for financial workloads.
1. Kernel Sysctl & Network Hardening
This step sets strict ptrace restrictions, hides kernel pointers, disables core dumps, restricts unprivileged BPF and io_uring, and locks down network routing to prevent spoofing and unauthorized forwarding.
Hardening Command:
sudo bash -c 'cat > /etc/sysctl.d/99-enterprise-security.conf <<EOF
kernel.yama.ptrace_scope = 3
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.sysrq = 0
kernel.randomize_va_space = 2
kernel.perf_event_paranoid = 2
kernel.unprivileged_bpf_disabled = 1
kernel.io_uring_disabled = 1
fs.suid_dumpable = 0
kernel.panic_on_oops = 1
kernel.kexec_load_disabled = 1
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
EOF'
sudo sysctl --system Verification Command:
sudo sysctl kernel.yama.ptrace_scope kernel.kptr_restrict kernel.dmesg_restrict fs.suid_dumpable kernel.randomize_va_space kernel.perf_event_paranoid kernel.unprivileged_bpf_disabled kernel.io_uring_disabled kernel.panic_on_oops kernel.modules_disabled kernel.kexec_load_disabled Revert Command:
sudo rm -f /etc/sysctl.d/99-enterprise-security.conf 2. Disable Core Dumps
Core dumps can write the memory contents of a crashed process to disk. In a financial application, this memory may contain sensitive secrets or PII. Disabling core dumps prevents this data leakage.
Hardening Command:
sudo bash -c 'cat > /etc/security/limits.d/99-no-coredumps.conf <<EOF
* hard core 0
* soft core 0
root hard core 0
root soft core 0
EOF'
sudo mkdir -p /etc/systemd/coredump.conf.d
sudo bash -c 'cat > /etc/systemd/coredump.conf.d/disable.conf <<EOF
[Coredump]
Storage=none
ProcessSizeMax=0
EOF'
sudo systemctl daemon-reload
sudo systemctl restart systemd-coredump 2>/dev/null || true Verification Command:
ulimit -c -H
ulimit -c -S
cat /etc/systemd/coredump.conf.d/disable.conf Revert Command:
sudo rm -f /etc/security/limits.d/99-no-coredumps.conf
sudo rm -f /etc/systemd/coredump.conf.d/disable.conf
sudo systemctl daemon-reload
sudo systemctl restart systemd-coredump 2>/dev/null || true 3. /proc Visibility (hidepid)
Hiding process information from unprivileged users prevents local attackers from discovering other running processes on the system. We whitelist the GCP Ops Agent so it can continue to collect metrics.
Hardening Command:
sudo cp /etc/fstab /etc/fstab.bak
sudo groupadd -r proc 2>/dev/null || true
sudo usermod -a -G proc google-cloud-ops-agent 2>/dev/null || true
grep -q "hidepid" /etc/fstab || echo "proc /proc proc defaults,hidepid=2,gid=proc 0 0" | sudo tee -a /etc/fstab
sudo mount -o remount /proc
systemctl daemon-reload Verification Command:
findmnt /proc Revert Command:
sudo cp /etc/fstab.bak /etc/fstab
sudo mount -o remount /proc 4. Secure Filesystem Mounts (/tmp)
Mounting temporary directories as tmpfs with the nodev, nosuid, and noexec options prevents attackers from executing malware scripts downloaded to these world-writable locations.
Hardening Command:
grep -q "tmpfs /tmp" /etc/fstab || echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,mode=1777 0 0" | sudo tee -a /etc/fstab
grep -q "tmpfs /var/tmp" /etc/fstab || echo "tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,mode=1777 0 0" | sudo tee -a /etc/fstab
sudo mount /tmp 2>/dev/null || true
sudo mount /var/tmp 2>/dev/null || true Verification Command:
findmnt /tmp
findmnt /var/tmp Revert Command:
sudo cp /etc/fstab.bak /etc/fstab
sudo umount /tmp 2>/dev/null || true
sudo umount /var/tmp 2>/dev/null || true 5. Kernel Module Lock
To prevent attackers from loading malicious kernel modules (rootkits) after the system has booted, we lock down module loading via a systemd service that runs after multi-user.target is reached.
Hardening Command:
sudo bash -c 'cat > /etc/systemd/system/disable-kernel-modules.service <<EOF
[Unit]
Description=Disable kernel module loading after boot
After=multi-user.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/sysctl -w kernel.modules_disabled=1
[Install]
WantedBy=multi-user.target
EOF'
sudo systemctl enable disable-kernel-modules.service
sudo systemctl start disable-kernel-modules.service Verification Command:
sudo modprobe dummy (This should fail if modules are successfully disabled).
Revert Command:
sudo systemctl stop disable-kernel-modules.service
sudo systemctl disable disable-kernel-modules.service
sudo rm -f /etc/systemd/system/disable-kernel-modules.service
sudo systemctl daemon-reload 6. SSH Hardening
We enforce strict SSH settings to disable password authentication and root login, while ensuring that GCP IAP (Identity-Aware Proxy) tunneling still functions correctly for secure access.
Hardening Command:
sudo bash -c 'cat > /etc/ssh/sshd_config.d/99-hardening.conf <<EOF
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitEmptyPasswords no
X11Forwarding no
AllowTcpForwarding yes
AllowAgentForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
LoginGraceTime 30
EOF'
sudo sshd -t && sudo systemctl reload ssh Verification Command:
sudo sshd -T | grep -E 'permitrootlogin|passwordauthentication|permitemptypasswords|x11forwarding|allowtcpforwarding' Revert Command:
sudo rm -f /etc/ssh/sshd_config.d/99-hardening.conf
sudo sshd -t && sudo systemctl reload ssh 7. AppArmor & Auditd
We ensure AppArmor is active to enforce security profiles, and install auditd to monitor critical system files and track modifications to passwords or security configurations.
Hardening Command:
sudo apt-get update && sudo apt-get install -y apparmor-utils apparmor-profiles auditd audispd-plugins Verification Command:
sudo aa-status
sudo systemctl status auditd --no-pager
sudo auditctl -l Revert Command:
sudo rm -f /etc/audit/rules.d/99-security.rules
sudo augenrules --load 8. Final System Unlock (Reboot)
Critical Reboot Notice
Because settings like ptrace restrictions, module loading locks, and kernel pointer restrictions are hard-locked in the kernel until a reboot occurs, you MUST reboot the system to complete a full rollback or to apply certain dynamic changes.
Rollback Reboot Command:
sudo reboot This guide provides a starting baseline. Depending on your specific workload and regulatory demands, you may need to layer additional controls like SELinux, file integrity monitoring (FIM), or centralized logging.