Local, browser based helper
Linux OS Baseline
Ubuntu 24.04 STIG inspired

About the Linux OS Baseline Assistant

This page explains how the Linux OS Baseline Assistant works, how the Relaxed, Strict, and Custom profiles are put together, and how to use the generated shell script safely on Ubuntu systems.

The Linux OS Baseline Assistant focuses on a practical subset of Ubuntu 24.04 LTS STIG inspired controls for small environments. It does not implement the full STIG and it does not guarantee compliance with any standard. The output is a structured script template with human readable hints, designed to help you review, prioritize, and document Linux hardening work.

🛠️ Open baseline assistant
Overview

What this tool actually does

The Linux OS Baseline Assistant builds a checklist style hardening script for Ubuntu 24.04 LTS using a curated set of STIG inspired controls. You choose a profile, fine tune the individual controls, then generate a shell script that you can adapt for your environment.

Instead of applying changes silently, the assistant writes clearly commented blocks for each selected control. Each block includes a short hint such as apt-get remove --purge telnet rather than forcing a specific configuration on your systems.

Relaxed, Strict, and Custom in plain language

Relaxed Strict Custom

Relaxed profile

Relaxed turns on foundational hardening that almost every small business can live with. It focuses on removing legacy services, enforcing basic authentication rules, enabling host firewall and file integrity, and tightening obvious gaps without being aggressive.

  • Removes unsafe remote tools such as telnet and rsh in favor of SSH.
  • Blocks blank passwords and null passwords at the PAM level.
  • Encourages host firewall and file integrity tools like ufw and AIDE.
  • Sets sensible session timeouts and uses strong password hashing by default.

Strict profile

Strict adds opinionated security controls that can change how systems behave. It is better suited for teams that are chasing formal compliance or that have time to test and adjust crypto, PAM, and kernel settings.

  • Introduces FIPS aligned cryptography planning and SSH cipher tightening.
  • Applies stronger controls on PAM caching and network session idle timeouts.
  • Further restricts kernel visibility, for example access to the message buffer.

Custom profile

Custom leaves the decisions to you. You can start from Relaxed or Strict, adjust any individual control, then regenerate the script. This is the right choice when you already know which controls fit your workloads and which ones need to stay off.

Short version. Relaxed is “secure by default for most small shops”. Strict is “turn the hardening up and accept more testing”. Custom is “you are the auditor, pick what you want”.

How to use the generated script safely

When you click Generate script the assistant writes a shell script template and suggests a filename such as ubuntu-baseline.sh. It is meant to be read, edited, and version controlled before you ever run it on production systems.

Basic workflow

  • Review every control block, including the comment lines and the Hint text.
  • Replace or expand the hints with the exact commands you want, for example apt-get install chrony or a complete ufw rule set.
  • Save the file as ubuntu-baseline.sh and make it executable with chmod +x ubuntu-baseline.sh.
  • Test it first on a non critical Ubuntu system with sudo ./ubuntu-baseline.sh.

Rollback thinking

The assistant does not create a full rollback script for you. In practice you should keep a separate playbook or script with the steps required to reverse changes that can impact users such as firewall rules, SSH crypto options, and PAM behavior.

For more complex environments, consider pairing this baseline with configuration management tools such as Ansible, so you can track changes, roll forward cleanly, and test in stages.

What this assistant does not do

The Linux OS Baseline Assistant is not a full STIG implementation engine and it is not a magic compliance button. It does not pull live data from your systems, it does not enforce patches, and it does not track evidence for audits. It gives you a structured starting point that you can extend with your own commands, documentation, and change management.

The control texts are informed by Ubuntu 24.04 STIG guidance and common audit expectations. Final responsibility for testing, approvals, and compliance still sits with your organization and your auditors.

Important notice and legal disclaimer
This Linux OS Baseline Assistant and its generated scripts are provided for educational and informational use only. They do not replace formal STIG implementation guidance, vendor documentation, or professional services, and they do not guarantee compliance with any framework, including STIG, NIST, CIS, PCI DSS, HIPAA, GDPR, or any cyber insurance requirement. All logic runs locally in your browser and any output remains on your systems unless you choose to share or upload it. You are responsible for reviewing, testing, and adapting every line before use, ensuring you have reliable backups, documented rollback steps, change approvals, and an appropriate lab or staging environment before changing production systems.