When enumerating host protections, try to identify:
- Mandatory access control systems
- Firewall configurations
- Intrusion prevention mechanisms
- Endpoint security software
- Monitoring agents
- Hardening controls
- Container restrictions
- Security-related services
AppArmor
AppArmor restricts what applications can access on the system through security profiles.
Check AppArmor status:
aa-status 2>/dev/null
Useful locations:
/etc/apparmor/
/etc/apparmor.d/
/sys/kernel/security/apparmor/
SELinux
SELinux provides mandatory access control policies that restrict process behavior and resource access.
Check SELinux status:
sestatus 2>/dev/null
Useful locations:
/etc/selinux/
/var/log/audit/
/etc/selinux/config
Firewall
Host-based firewalls may restrict inbound or outbound communication.
UFW:
ufw status 2>/dev/null
iptables:
iptables -L -n -v
nftables:
nft list ruleset 2>/dev/null
Useful locations:
/etc/ufw/
/etc/iptables/
/etc/nftables.conf
Fail2ban
Fail2ban monitors logs and automatically blocks hosts exhibiting suspicious behavior.
Check status:
fail2ban-client status 2>/dev/null
Useful locations:
/etc/fail2ban/
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/
/var/log/fail2ban.log
Security Software
Look for endpoint protection, monitoring and security agents.
Common processes:
ps aux | grep -Ei "falco|crowdstrike|falcon|osquery|auditd|suricata|wazuh|clamav"
Common services:
systemctl list-units --type=service
Kernel Protections
Check common kernel hardening features:
cat /proc/sys/kernel/randomize_va_space
cat /proc/sys/kernel/yama/ptrace_scope
sysctl -a 2>/dev/null | grep -E "randomize|ptrace|kptr"
Common protections include:
- ASLR (Address Space Layout Randomization)
- Ptrace restrictions
- Kernel pointer restrictions
- Seccomp filtering
- Namespaces
- Capability restrictions