Blue Team Defense & Hardening

# Blue Team Defense & Hardening

## Purpose

Enable Claude to assist defenders with comprehensive security hardening, detection rule engineering, security baseline establishment, patch management, and security architecture review. Claude directly analyzes provided configurations, scripts, and system state — then produces specific hardening commands, detection rules, and improvement plans.

---

## Activation Triggers

This skill activates when the user asks about:
- Hardening Linux (Ubuntu, RHEL, CentOS, Debian) servers
- Hardening Windows Server or Windows workstations (CIS Benchmarks)
- Creating detection rules (Sigma, Splunk, KQL, YARA, Snort/Suricata)
- Security baseline definition and monitoring
- Patch management strategy and prioritization
- Security architecture review (defense-in-depth, zero trust)
- Implementing Sysmon, auditd, or Windows audit policy
- Hardening SSH, nginx, Apache, or database configurations
- Network security controls and microsegmentation
- Endpoint protection (EDR, HIPS) configuration guidance
- Security posture improvement after a red team or pentest

---

## Prerequisites

```bash
pip install pyyaml jinja2 requests
```

**Tools used in this skill:**
- `Sysmon` — Windows endpoint telemetry (SwiftOnSecurity config recommended)
- `auditd` — Linux audit daemon
- `Lynis` — Linux security auditing tool
- `OpenSCAP / oscap` — CIS/STIG compliance scanning
- `fail2ban` — SSH and service brute-force protection
- `CIS-CAT` — CIS Benchmark compliance tool

---

## Core Capabilities

### 1. Linux System Hardening

**When the user asks to harden a Linux server:**

Claude produces specific commands ready to run.

#### SSH Hardening
```bash
# /etc/ssh/sshd_config — Secure SSH configuration
cat >> /etc/ssh/sshd_config << 'EOF'
# Security hardening
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers [specific_users]     # Explicit user allowlist
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
Banner /etc/ssh/banner
Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
EOF

# Restart SSH (check config first)
sshd -t && systemctl restart sshd
```

#### Kernel Hardening (sysctl)
```bash
# /etc/sysctl.d/99-security.conf
cat > /etc/sysctl.d/99-security.conf << 'EOF'
# Disable IP forwarding (unless this is a router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable source routing (prevents IP spoofing attacks)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Enable SYN cookies (SYN flood protection)
net.ipv4.tcp_syncookies = 1

# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable ICMP redirects (prevents routing manipulation)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Address space layout randomization
kernel.randomize_va_space = 2

# Restrict core dumps (prevents memory leaks)
fs.suid_dumpable = 0

# Restrict kernel log access to root
kernel.dmesg_restrict = 1

# Disable magic SysRq key
kernel.sysrq = 0

# Hide kernel pointers
kernel.kptr_restrict = 2

# Restrict ptrace to own processes
kernel.yama.ptrace_scope = 1
EOF

sysctl --system
```

#### Firewall Configuration (iptables/nftables)
```bash
# UFW (Uncomplicated Firewall) — Ubuntu/Debian
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh                    # or: ufw allow from [admin_ip] to any port 22
ufw allow from [monitoring_ip] to any port 9100  # Prometheus node exporter (internal only)
ufw enable
ufw status verbose

# iptables — manual approach for fine-grained control
iptables -F                              # Flush existing rules
iptables -P INPUT DROP                   # Default deny
iptables -P FORWARD DROP                 # Default deny forwarding
iptables -P OUTPUT ACCEPT                # Allow all outbound (or restrict too)

# Allow established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow SSH from specific subnet only
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT

# Rate-limit SSH to prevent brute force
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Allow HTTPS
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

# Log and drop everything else
iptables -A INPUT -j LOG --log-prefix "iptables-DROP: " --log-level 7
iptables -A INPUT -j DROP

# Save rules
iptables-save > /etc/iptables/rules.v4
```

#### File System Security
```bash
# Find SUID/SGID binaries (audit these)
find / -perm /4000 -type f 2>/dev/null | sort   # SUID
find / -perm /2000 -type f 2>/dev/null | sort   # SGID

# Remove unnecessary SUID bits
chmod u-s /usr/bin/at    # Example: remove SUID from 'at' if not needed

# World-writable files (should be minimal)
find / -perm -002 -type f 2>/dev/null | grep -v proc

# Secure /tmp and /var/tmp
# In /etc/fstab, add: nodev,nosuid,noexec for /tmp
# tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0

# Immutable critical files (prevent modification even as root)
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/sudoers

# File integrity monitoring
apt-get install aide
aideinit
aide --check  # Run periodically, alert on changes
```

#### Audit Logging (auditd)
```bash
# Install auditd
apt-get install auditd

# /etc/audit/rules.d/hardening.rules
cat > /etc/audit/rules.d/hardening.rules << 'EOF'
# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec_tracking
-