fleet/articles/security-baselines-for-linux.md

# Security baselines for Linux: closing the gap on exemptions

### Links to article series:

- Part 1: [Why enterprise Linux is important in 2026](https://fleetdm.com/articles/why-enterprise-linux-is-important-in-2026)
- Part 2: [Automated provisioning for Linux desktop in the enterprise](https://fleetdm.com/articles/automated-provisioning-for-linux-desktop-in-the-enterprise)
- Part 3: Security baselines for Linux: closing the gap on exemptions
- Part 4: [Unlocking Linux productivity: securing apps and updating certificates](https://fleetdm.com/articles/unlocking-linux-productivity-securing-apps-and-updating-certificates)
- Part 5: [Protecting the Linux device: remote wipe, USB and sudo](https://fleetdm.com/articles/protecting-the-linux-device-remote-wipe-usb-sudo)
- Part 6: [Data and Endpoint Sovereignty: Owning Your Destiny](https://fleetdm.com/articles/data-and-endpoint-sovereignty-owning-your-destiny)

-----

In the modern enterprise, Linux is no longer confined to the server room. It is increasingly the workstation of choice for scientists, engineers and developers. These contributors power innovation, and their endpoints often host an organization’s most valuable assets: source code repositories, confidential architecture plans, sensitive internal roadmaps and product designs. 

The investment in Mobile Device Management (MDM) solutions for Mac and Windows is a given, a foundational layer of corporate security. So why is the security posture of Linux often relegated to a secondary, "special case" status?

The fundamental challenge is a mismatch between the platform's nature and the enterprise organization’s need for control. Linux distributions, built on a philosophy of power and flexibility, are designed for the "power user” - precisely what makes Linux the right OS for them. These capabilities (deep OS customization, native development tooling, and root-level access) left unchecked create a security vacuum. While a base installation offers ease of use and stability, it is inherently inadequate for meeting stringent enterprise security requirements.

For years, security teams have managed to successfully "lock down" Mac and Windows.

* **Windows** pioneered centralized control with **Group Policy Objects (GPO)**, enabling granular management of password complexity, desktop restrictions, and software deployment from a single console.  
* **macOS** followed suit, using scripts and MCX / MDM via configuration profiles to enforce similar security controls.

Linux, however, has traditionally lacked a native, centralized protocol for security enforcement. While robust scripting and configuration management tools allow admins to manage endpoints at scale, these methods can be highly bespoke, leading to fragmented and inconsistent security across a fleet. It is this lack of a universally accepted, first-party framework that has allowed Linux workstations to be dangerously treated as an exception to standard security protocols.

## The myth of low risk is dead

This historic lack of scrutiny for Linux security was often justified by the perception of low risk, i.e., that a smaller installed base meant fewer malicious actors would target it. This is no longer a sustainable, or even true, assumption. The massive growth of Linux in cloud infrastructure and its rising prominence as a developer workstation have made it a lucrative target for cybercriminals. The data is unequivocal: in 2023 Trend Micro documented a [62% surge in Linux ransomware attack attempts](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-linux-threat-landscape-report).

The time for treating Linux security as an afterthought is over. It must be integrated into a comprehensive, multi-platform, defense-in-depth security strategy, encompassing both your servers and, critically, your workstations.

## The standardized path to enterprise security

The real challenge for security professionals is not *how* to execute a security policy (the scripting and configuration tools exist) but *what* settings to enforce. Modern workstations present a complex landscape of choices: disk encryption, biometric authentication policies, complex network configurations, and port governance. Without clear, validated guidance, IT administrators face a near-impossible task of developing, from scratch, adequate security profiles for every operating system in their fleet. This is where the power of **security baselines** becomes the indispensable foundation for your strategy.

Security baselines are a consensus-driven, recommended set of configurations applied uniformly across all your endpoints to ensure a consistent, hardened security posture. These baselines allow security teams to build on established, well-known best practices designed to protect against common and emerging threats.

Prominent examples of these baselines include:

* [**Center for Internet Security (CIS) Benchmarks**](https://www.cisecurity.org/cis-benchmarks)**:** Developed through community consensus by cybersecurity experts globally, the CIS Benchmarks provide detailed, prescriptive guidance for securing various operating systems, including multiple Linux distributions (Red Hat, Ubuntu, Debian), as well as Macs and Windows.  
* **Governmental Frameworks:** Agencies like the USA’s [**NIST**](https://www.nist.gov/itl/nvd) (National Institute of Standards and Technology) have already published [Linux security frameworks](https://github.com/usnistgov/linux_security). The UK’s [**NCSC**](https://www.ncsc.gov.uk/) (National Cyber Security Centre) along with other organizations and standards bodies publish extensive recommendations for securing endpoints in line with government’s high-security standards.

These baselines are not abstract theory. They are practical, operational guidance covering essential security such like access controls (password complexity, use of biometrics), system configuration (restricting access to sensitive binaries and configuration files), and network configuration (limiting inbound and outbound connections). By adopting them, enterprises gain an established, authoritative standard.

## Keeping up standards  

The adoption of a security baseline is not merely a box-ticking exercise. It is crucial for driving operational security excellence across your entire fleet.

### Simplified auditing and metrics

Security professionals are acutely aware that a single, poorly protected endpoint can be the vector for an entire network compromise. Baselines provide the necessary yardstick to measure the overall health and security hygiene of your entire fleet. The ability to audit **ALL** workstations (Mac, Windows, and Linux) against a consistent set of metrics establishes a clear objective standard. Even when baselines are customized to meet specific corporate needs (which is common and encouraged) deployment, remediation and auditing all are simplified by starting with a standard framework. It is fundamentally easier to track and measure deviations from a well-defined set of requirements than it is to build those requirements from the ground up.

### The fight against configuration drift

One of the most insidious threats to security is **configuration drift**. In Linux, the majority of controls are *imperative*. When an administrator issues a command like:

`install corporate root certificate`

the system executes it once. This is unlike *declarative* state management, where the system is constantly working to ensure a configuration remains in a desired state. An imperative command does not guarantee persistence. A user with root access, a subsequent script, or even a system update can later remove or replace that certificate. This deviation from the secure configuration “drift”.

Adopting a security baseline enables security teams to shift their focus from running a series of one-time commands to setting a desired state and keeping devices in that state. With the right tooling for monitoring and automation, like [Fleet](https://fleetdm.com/guides/empower-linux-device-management), an organization can ensure that any configuration drift is immediately detected, flagged, and automatically remediated.

### Meeting critical certification requirements

For many organizations, security standards are not optional. They are mandatory for business operation and passing regulatory audits. Standards such as **SOC2, ISO/IEC 27001, HIPAA, PCI DSS, and NIST SP 800-53** all apply to how an organization processes and protects information, which includes the security of your computing devices. The use of a recognized security baseline allows enterprises to systematically demonstrate compliance, making it much easier to provide the necessary evidence to auditors and clients that your security practices for all workstations are mature and reliable, even on Linux.

## The new mandate

The message is clear: if your enterprise leverages Linux workstations, they must be secured with the same rigor and established standards as your Macs and Windows devices. You do not need to re-invent security best practices. By adopting recognized security baselines like the readily available guidance offered by CIS Benchmarks for Red Hat, Ubuntu, Debian, and others you can immediately elevate your security posture. Implementing this strategy is the critical next step in ensuring that your most powerful workstations serve as a secure, foundational element of employee productivity, not a looming threat to enterprise security.

The [next article](https://fleetdm.com/articles/unlocking-linux-productivity-securing-apps-and-updating-certificates) in this series will cover application deployment and certificate management on Linux desktop.

<meta name="articleTitle" value="Security baselines for Linux: closing the gap on exemptions">  
<meta name="authorFullName" value="Ashish Kuthiala">  
<meta name="authorGitHubUsername" value="akuthiala">  
<meta name="category" value="articles">  
<meta name="publishedOn" value="2026-02-23">  
<meta name="description" value="Part 3 of 6 in the 'Protecting Linux endpoints with modern device management' article series.">