PostgreSQL Hardening on Linux: pg_hba, TLS, RLS, and pgaudit in 2026
Production-grade PostgreSQL 17 hardening on Linux: SCRAM-SHA-256 pg_hba, TLS 1.3 with client certs, least-privilege roles, RLS, and pgaudit shipped to a SIEM.
Production-grade PostgreSQL 17 hardening on Linux: SCRAM-SHA-256 pg_hba, TLS 1.3 with client certs, least-privilege roles, RLS, and pgaudit shipped to a SIEM.
A hands-on 2026 comparison of fail2ban and CrowdSec on production Debian and Ubuntu edge nodes, covering detection accuracy, resource use, blocklist quality, and when each tool is still the right pick.
A field-tested 60-minute playbook for the moment you find evidence of compromise on a Linux box: how I isolate the host, capture volatile state, hunt persistence, and rebuild without losing the trail.
I've been running and re-running Ubuntu hardening playbooks since 18.04. Most of what's published online is still a copy of a copy of a 16.04 CIS checklist, with password minlen 14 and a dozen sysctl knobs.
Deploy Linux IMA and EVM for kernel-enforced file integrity. Learn appraisal policy, EVM key sealing to TPM 2.0, IMA digest lists, and Keylime remote attestation with working configs.
A hands-on auditd guide for 2026: write persistent audit.rules, search events with ausearch, ship records to Wazuh, Elastic, or Splunk, and tune performance.
A practical, layered guide to Linux USB security in 2026: block rogue devices with USBGuard, udev rules, and kernel module blacklisting. Includes BadUSB defense, audit logging, and SIEM integration.
Deploy confidential VMs on Linux with AMD SEV-SNP and Intel TDX. Covers BIOS setup, QEMU launch flags, remote attestation with snpguest and configfs-tsm, attested LUKS unlock, and an operational hardening checklist for production workloads in 2026.
A practical 2026 guide to CrowdSec on Linux: architecture, install on Debian/Ubuntu/RHEL, nftables and Nginx bouncers, custom scenarios, multi-server LAPI, and a clean fail2ban migration path.
osquery turns your Linux fleet into a SQL-queryable database for real-time threat hunting and endpoint telemetry. This practical guide walks through osquery 5.22 deployment, high-value security queries, FleetDM at scale, SIEM integration, and a frank take on osquery vs auditd in 2026.
A practical guide to hardening Linux CI/CD pipelines against supply chain attacks, runner compromises, and credential theft — covering ephemeral runners, rootless container builds, automated SAST/DAST/SCA scanning, Sigstore image signing, and OIDC-based secrets management with working code examples.
Set up Lynis 3.1.5 for continuous Linux security auditing — build custom profiles, automate fleet-wide scans with Ansible, integrate CI/CD security gates, and map findings to CIS, PCI DSS, and HIPAA compliance frameworks.