Skip to content

Track 07 — Endpoint & Host Hardening

Make the host expensive to attack and loud when attacked. Harden Windows and Linux to recognised benchmarks — as code, with compliance scoring and drift detection.

What you'll be able to do

  • Threat-model the endpoint and prioritise what actually matters.
  • Harden Windows and Linux to CIS benchmarks, expressed as code.
  • Score compliance and detect configuration drift.
  • Stand up endpoint telemetry that catches what hardening doesn't stop.

Modules

# Module What you'll learn OSS tools
01 Threat Model of the Endpoint What you're defending and from what
02 Windows Hardening to CIS Baseline configuration that holds up LGPO, CIS-CAT-lite
03 Linux Hardening to CIS Securing the Linux host as a baseline OpenSCAP, Lynis
04 Exploit Mitigation & Allowlisting ASLR/DEP, app control, attack-surface reduction AppLocker, fapolicyd
05 Endpoint Telemetry & EDR Visibility into process/file/auth events osquery, wazuh
06 Configuration Management Hardening at scale, as code ansible
07 Compliance Scoring & Auditing Measuring posture against a benchmark OpenSCAP
08 Patch & Vulnerability Management Finding and closing exposure osquery, grype
09 Local Privilege-Escalation Defense Closing the paths Track 01 abuses
10 Detecting Host Compromise Catching what the baseline didn't stop wazuh, sigma
11 Host & Boot Integrity Proving files and the boot chain haven't been tampered with aide, Secure Boot/TPM
12 Configuration & Posture Drift Detecting and reconciling drift from the baseline-as-code ansible, osquery, OpenSCAP
13 Rolling a Baseline Across a Fleet Staged, ringed rollout that limits blast radius ansible

Phases & projects

The thirteen modules run in four phases; each ends in a project that integrates its modules (a phase is the substantial, standalone unit — a single module is a few hours). Work on VMs you own, and snapshot before destructive changes.

  • Phase 1 · Model & baseline (01–04) — Project: an endpoint threat model that drives a CIS baseline applied to a Windows and a Linux host — including exploit mitigations and application allowlisting — with each control justified against the model.
  • Phase 2 · Scale, score & patch (05–08) — Project: stand up endpoint telemetry, push the baseline at scale with Ansible, score compliance with OpenSCAP, and run a patch/vuln-management loop — proving drift detection catches a deliberate misconfiguration.
  • Phase 3 · Detect & defend (09–11) — Project: close the local privilege-escalation paths Track 01 abuses, catch a simulated host compromise with telemetry, and prove files and the boot chain are intact with file-integrity monitoring — delivering the detections and a tamper-evident integrity baseline.
  • Phase 4 · Operate at scale (12–13) — Project: the track capstone — keep the baseline-as-code enforced with a drift loop that names what changed and against which control, and roll the baseline across a fleet in staged rings that limit blast radius — delivering the config-as-code, the before/after score delta, the drift report, and a staged rollout plan.

Prerequisites

Complete Track 00 — Foundations first.

Work on VMs or containers you own. Some hardening is destructive — snapshot first.

Capstone

Harden a Windows and a Linux host to CIS as code, score the before/after compliance, prove drift detection catches a deliberate misconfiguration, and show telemetry firing on a simulated attack. Deliverable: the config-as-code, the score delta, and the detection.

The starter scaffold and acceptance checks live in plaintext-labs/endpoint-hardening/capstone/.

Capstone rubric

Harden both a Windows and a Linux host, and prove the baseline holds and drift is caught. Proficient is the bar to ship.

Dimension Developing Proficient Exemplary
Hardening coverage One OS, or partial baseline Both Windows and Linux hardened to a CIS profile, expressed as code (Ansible/GPO/SCAP) Profile tailored to a threat model — exceptions justified, not blind benchmark application
Compliance scoring No score, or score not reproducible OpenSCAP/CIS-CAT score before and after, with the delta documented Failing controls triaged (fix vs. accept-with-reason); score re-run from clean state
Drift detection None A deliberate misconfiguration is introduced and the tooling flags it Drift detection is automated/scheduled and reports what changed, not just that it did
Telemetry No telemetry, or fires on nothing Endpoint telemetry catches a simulated attack the baseline didn't stop Detection mapped to ATT&CK and tuned against benign noise
As-code & reproducibility Manual steps A reader can re-apply the baseline from the committed code One command re-hardens a fresh host and re-scores it; idempotent

AI & automation

AI generates the hardening (Ansible, GPO, SCAP profiles) — and that's exactly where silent mistakes hide. The skill is reviewing generated configuration against the benchmark and your threat model before it ships. AI authors the baseline; you own what it breaks.

Standards & further reading

  • CIS Benchmarks (Windows, Linux) and the CIS Controls
  • NIST SP 800-123 (Server Security) and SP 800-128 (Config Management)
  • DISA STIGs as an alternate baseline

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).