security-hardening

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Hardening

安全加固

Purpose

目标

Proactive reduction of attack surface across infrastructure layers through systematic configuration hardening, least-privilege enforcement, and automated security controls. Applies industry-standard CIS Benchmarks and zero-trust principles to operating systems, containers, cloud configurations, networks, and databases.

通过系统化配置加固、最小权限实施和自动化安全控制，主动减少基础设施各层的攻击面。将行业标准的CIS基准和零信任原则应用于操作系统、容器、云配置、网络和数据库。

When to Use This Skill

适用场景

Invoke this skill when:

Hardening production infrastructure before deployment
Meeting compliance requirements (SOC 2, PCI-DSS, HIPAA, FedRAMP)
Implementing zero-trust security architecture
Reducing container or cloud misconfiguration risks
Preparing for security audits or penetration tests
Automating security baseline enforcement
Responding to vulnerability scan findings

在以下场景中调用此技能：

部署前加固生产基础设施
满足合规要求（SOC 2、PCI-DSS、HIPAA、FedRAMP）
实施零信任安全架构
降低容器或云配置错误风险
为安全审计或渗透测试做准备
自动化安全基线实施
响应漏洞扫描结果

Hardening Layers

加固层级

Security hardening applies across five infrastructure layers:

安全加固覆盖五个基础设施层级：

Layer 1: Operating System (Linux)

层级1：操作系统（Linux）

Kernel parameter tuning (sysctl)
SSH configuration hardening
User and group management
File system permissions and mount options
Service minimization
SELinux/AppArmor enforcement

内核参数调优（sysctl）
SSH配置加固
用户与组管理
文件系统权限与挂载选项
服务最小化
SELinux/AppArmor强制启用

Layer 2: Container

层级2：容器

Minimal base images (Chainguard, Distroless, Alpine)
Non-root container execution
Read-only root filesystems
Seccomp and AppArmor profiles
Resource limits and capabilities dropping
Pod Security Standards enforcement

轻量基础镜像（Chainguard、Distroless、Alpine）
非root用户运行容器
只读根文件系统
Seccomp和AppArmor配置文件
资源限制与权限剥离
Pod安全标准实施

Layer 3: Cloud Configuration

层级3：云配置

IAM least privilege and MFA enforcement
Network security groups and NACL configuration
Encryption at rest and in transit
Public access blocking
Logging and monitoring enablement
CSPM (Cloud Security Posture Management) integration

IAM最小权限与MFA强制启用
网络安全组与NACL配置
静态与传输加密
阻止公共访问
启用日志与监控
集成CSPM（云安全态势管理）

Layer 4: Network

层级4：网络

Default-deny network policies
Network segmentation and micro-segmentation
TLS/mTLS enforcement
Firewall rule minimization
DNS security (DNSSEC, DNS filtering)

默认拒绝网络策略
网络分段与微分段
TLS/mTLS强制启用
防火墙规则最小化
DNS安全（DNSSEC、DNS过滤）

Layer 5: Database

层级5：数据库

Authentication and authorization hardening
Connection encryption (SSL/TLS)
Audit logging enablement
Network isolation and access control
Role-based permissions with least privilege

认证与授权加固
连接加密（SSL/TLS）
启用审计日志
网络隔离与访问控制
基于角色的最小权限配置

Core Hardening Principles

核心加固原则

1. Default Deny, Explicit Allow

1. 默认拒绝，显式允许

Start with all access denied, explicitly permit only required operations. Apply default-deny firewall rules and network policies, then allow specific traffic.

从拒绝所有访问开始，仅显式允许必要操作。应用默认拒绝的防火墙规则和网络策略，再开放特定流量。

2. Least Privilege Access

2. 最小权限访问

Grant minimum permissions required for operation. Use RBAC, IAM policies with specific resources, and database roles with limited permissions (no DELETE or DDL unless required).

授予操作所需的最小权限。使用RBAC、针对特定资源的IAM策略，以及权限受限的数据库角色（除非必要，否则不授予DELETE或DDL权限）。

3. Defense in Depth

3. 纵深防御

Implement multiple overlapping security controls: network firewalls, authentication, authorization, audit logging, and encryption working together.

实施多重重叠安全控制：网络防火墙、认证、授权、审计日志和加密协同工作。

4. Minimal Attack Surface

4. 最小攻击面

Remove unnecessary components, services, and permissions. Use minimal container base images, disable unused services, and drop all Linux capabilities unless required.

移除不必要的组件、服务和权限。使用轻量容器基础镜像，禁用未使用的服务，剥离所有非必要的Linux权限。

5. Fail Securely

5. 安全故障

On error or misconfiguration, default to secure state. Authentication failures deny access, missing configurations use restrictive defaults, and monitoring failures trigger immediate alerts.

出现错误或配置错误时，默认进入安全状态。认证失败则拒绝访问，缺失配置时使用严格默认值，监控故障时立即触发警报。

Hardening Priority Framework

加固优先级框架

Prioritize hardening efforts based on exposure and data sensitivity:

根据暴露程度和数据敏感度确定加固工作优先级：

Critical Priority: Internet-Facing Systems

关键优先级：面向互联网的系统

Apply immediately:

Container hardening (minimal images, non-root, read-only)
Network segmentation (DMZ, WAF, DDoS protection)
TLS termination and certificate management
Rate limiting and authentication
Real-time monitoring and alerting

Tools: Trivy, Falco, ModSecurity, Cloudflare

立即实施：

容器加固（轻量镜像、非root用户、只读文件系统）
网络分段（DMZ、WAF、DDoS防护）
TLS终止与证书管理
速率限制与认证
实时监控与警报

工具： Trivy、Falco、ModSecurity、Cloudflare

High Priority: Systems with Sensitive Data

高优先级：含敏感数据的系统

Apply before production:

Encryption at rest (AES-256, KMS-managed keys)
Strict access controls (RBAC, least privilege)
Comprehensive audit logging
Database connection encryption
Regular vulnerability scanning

Tools: Checkov, Prowler, Lynis, OpenSCAP

生产前实施：

静态加密（AES-256、KMS管理密钥）
严格访问控制（RBAC、最小权限）
全面审计日志
数据库连接加密
定期漏洞扫描

工具： Checkov、Prowler、Lynis、OpenSCAP

Standard Priority: Internal Systems

标准优先级：内部系统

Apply systematically:

OS hardening (CIS Benchmarks)
Service minimization
Patch management automation
Configuration management
Basic monitoring

Tools: Ansible, Puppet, kube-bench, docker-bench-security

系统化实施：

操作系统加固（CIS基准）
服务最小化
补丁管理自动化
配置管理
基础监控

工具： Ansible、Puppet、kube-bench、docker-bench-security

CIS Benchmark Integration

CIS基准集成

CIS (Center for Internet Security) Benchmarks provide industry-standard hardening guidance.

CIS（互联网安全中心）基准提供行业标准的加固指南。

Automated CIS Scanning

自动化CIS扫描

Docker CIS Benchmark:

bash

docker run --rm -it \
  --net host \
  --pid host \
  --cap-add audit_control \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /etc:/etc:ro \
  docker/docker-bench-security

Kubernetes CIS Benchmark:

bash

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job/kube-bench

Linux CIS Benchmark:

bash

undefined

Docker CIS基准：

bash

docker run --rm -it \
  --net host \
  --pid host \
  --cap-add audit_control \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /etc:/etc:ro \
  docker/docker-bench-security

Kubernetes CIS基准：

bash

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job/kube-bench

Linux CIS基准：

bash

undefined

Using Lynis

使用Lynis

lynis audit system --quick

Using OpenSCAP

使用OpenSCAP

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml

undefined

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml

undefined

Key CIS Controls Mapping

核心CIS控制映射

CIS Control	Hardening Action	Layer
4.1 Secure Configuration	Apply hardening baselines	All layers
5.1 Account Management	Enforce least privilege, MFA	OS, Cloud
6.1 Access Control	RBAC, network policies	All layers
8.1 Audit Log Management	Enable comprehensive logging	All layers
13.1 Network Monitoring	Deploy IDS/IPS, flow logs	Network
3.1 Data Protection	Enable encryption at rest/transit	Cloud, Database

For detailed CIS control mapping, see

references/cis-benchmark-mapping.md

CIS控制项	加固操作	层级
4.1 安全配置	应用加固基线	所有层级
5.1 账户管理	强制最小权限、MFA	操作系统、云
6.1 访问控制	RBAC、网络策略	所有层级
8.1 审计日志管理	启用全面日志	所有层级
13.1 网络监控	部署IDS/IPS、流量日志	网络
3.1 数据保护	启用静态/传输加密	云、数据库

详细CIS控制映射请参考

references/cis-benchmark-mapping.md

。

Container Base Image Selection

容器基础镜像选择

Choose base images based on security requirements and compatibility needs:

Use Case	Recommended Base	Size	CVEs	Trade-off
Production apps	Chainguard Images	~10MB	0	Minimal, zero CVEs
Minimal Linux	Alpine	~5MB	Few	Small, auditable
Compatibility	Distroless	~20MB	Few	No shell, harder debug
Debugging	Debian slim	~80MB	More	Has debugging tools
Legacy apps	Ubuntu	~100MB	Many	Full compatibility

Production recommendation: Chainguard Images or Distroless for production, Alpine for development.

根据安全要求和兼容性需求选择基础镜像：

使用场景	推荐基础镜像	大小	CVEs	权衡点
生产应用	Chainguard Images	~10MB	0	轻量、零漏洞
极简Linux	Alpine	~5MB	少量	体积小、可审计
兼容性优先	Distroless	~20MB	少量	无shell、调试难度高
调试场景	Debian slim	~80MB	较多	含调试工具
遗留应用	Ubuntu	~100MB	大量	完全兼容

生产环境推荐： 生产环境使用Chainguard Images或Distroless，开发环境使用Alpine。

Verification and Auditing

验证与审计

Hardening must be verified continuously, not just at implementation.

加固工作必须持续验证，而不仅是在实施阶段。

Automated Security Scanning

自动化安全扫描

Container vulnerability scanning:

bash

undefined

容器漏洞扫描：

bash

undefined

Trivy: Comprehensive vulnerability and misconfiguration scanner

Trivy：全面的漏洞与配置错误扫描器

trivy image --severity HIGH,CRITICAL myapp:latest

Grype: Fast vulnerability scanner

Grype：快速漏洞扫描器

grype myapp:latest


**Infrastructure as Code scanning:**
```bash

grype myapp:latest


**基础设施即代码扫描：**
```bash

Checkov: Multi-cloud IaC scanner

Checkov：多云IaC扫描器

checkov -d terraform/ --framework terraform

Terrascan: Policy-as-code scanner

Terrascan：策略即代码扫描器

terrascan scan -t terraform -d terraform/


**Kubernetes security scanning:**
```bash

terrascan scan -t terraform -d terraform/


**Kubernetes安全扫描：**
```bash

Kubesec: Security risk analysis

Kubesec：安全风险分析

kubesec scan k8s/deployment.yaml

Polaris: Configuration validation

Polaris：配置验证

polaris audit --format=pretty

Trivy K8s scanning

Trivy Kubernetes扫描

trivy k8s --report summary cluster


**Cloud security posture:**
```bash

trivy k8s --report summary cluster


**云安全态势：**
```bash

Prowler: AWS security assessment

Prowler：AWS安全评估工具

prowler aws --services s3 iam ec2

ScoutSuite: Multi-cloud security audit

ScoutSuite：多云安全审计工具

scout aws --services s3 iam ec2

undefined

scout aws --services s3 iam ec2

undefined

Continuous Verification Pipeline

持续验证流水线

Integrate security scanning into CI/CD:

yaml

undefined

将安全扫描集成到CI/CD中：

yaml

undefined

GitHub Actions example

GitHub Actions示例

name: Security Hardening Verification

on: push: branches: [main] schedule: - cron: '0 0 * * *' # Daily scan

jobs: container-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: Build image
    run: docker build -t myapp:test .

  - name: Scan with Trivy
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'myapp:test'
      severity: 'CRITICAL,HIGH'
      exit-code: '1'  # Fail on findings

iac-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: Scan IaC with Checkov
    uses: bridgecrewio/checkov-action@master
    with:
      directory: terraform/
      framework: terraform
      soft_fail: false

undefined

name: Security Hardening Verification

on: push: branches: [main] schedule: - cron: '0 0 * * *' # 每日扫描

jobs: container-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: 构建镜像
    run: docker build -t myapp:test .

  - name: 使用Trivy扫描
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'myapp:test'
      severity: 'CRITICAL,HIGH'
      exit-code: '1'  # 发现问题则流水线失败

iac-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: 使用Checkov扫描IaC
    uses: bridgecrewio/checkov-action@master
    with:
      directory: terraform/
      framework: terraform
      soft_fail: false

undefined

Compliance Reporting

合规报告

Generate compliance reports from scan results:

bash

undefined

从扫描结果生成合规报告：

bash

undefined

Generate CIS compliance report

生成CIS合规报告

kube-bench run --json > cis-report.json

Generate vulnerability report

生成漏洞报告

trivy image --format json --output vuln-report.json myapp:latest

Aggregate reports for compliance dashboard

聚合报告生成合规仪表盘

python scripts/generate-compliance-report.py
--cis cis-report.json
--vulns vuln-report.json
--output compliance-dashboard.html

undefined

python scripts/generate-compliance-report.py
--cis cis-report.json
--vulns vuln-report.json
--output compliance-dashboard.html

undefined

Automation Tools

自动化工具

Hardening Automation

加固自动化

Ansible/Puppet/Chef: Configuration management for OS hardening
Terraform/Pulumi: Infrastructure as Code with security modules
Cloud Custodian: Cloud resource policy enforcement
OPA/Gatekeeper: Kubernetes policy enforcement
Kyverno: Kubernetes-native policy management

Ansible/Puppet/Chef： 操作系统加固的配置管理工具
Terraform/Pulumi： 含安全模块的基础设施即代码工具
Cloud Custodian： 云资源策略实施工具
OPA/Gatekeeper： Kubernetes策略实施工具
Kyverno： Kubernetes原生策略管理工具

Scanning Tools

扫描工具

Trivy: Universal vulnerability and misconfiguration scanner
Checkov: IaC security and compliance scanner
Falco: Runtime security monitoring
Prowler: AWS security assessment tool
ScoutSuite: Multi-cloud security auditing
Lynis: Linux security auditing
docker-bench-security: Docker CIS benchmark scanner
kube-bench: Kubernetes CIS benchmark scanner

Trivy： 通用漏洞与配置错误扫描器
Checkov： IaC安全与合规扫描器
Falco： 运行时安全监控工具
Prowler： AWS安全评估工具
ScoutSuite： 多云安全审计工具
Lynis： Linux安全审计工具
docker-bench-security： Docker CIS基准扫描器
kube-bench： Kubernetes CIS基准扫描器

Monitoring Tools

监控工具

Falco: Runtime threat detection for containers
Sysdig: Container security and monitoring
Wazuh: Host and endpoint security monitoring
OSSEC: Host-based intrusion detection

Falco： 容器运行时威胁检测工具
Sysdig： 容器安全与监控工具
Wazuh： 主机与端点安全监控工具
OSSEC： 基于主机的入侵检测工具

Quick Reference: Common Hardening Tasks

快速参考：常见加固任务

Harden SSH Access

加固SSH访问

bash

undefined

bash

undefined

Edit /etc/ssh/sshd_config.d/hardening.conf

编辑 /etc/ssh/sshd_config.d/hardening.conf

PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no MaxAuthTries 3 X11Forwarding no ClientAliveInterval 300 ClientAliveCountMax 2

Restart SSH

重启SSH

systemctl restart sshd

undefined

systemctl restart sshd

undefined

Harden Container Image

加固容器镜像

dockerfile

undefined

dockerfile

undefined

Use minimal base

使用轻量基础镜像

FROM cgr.dev/chainguard/python:latest

Non-root user

非root用户

USER nonroot

Read-only filesystem

只读文件系统

COPY --chown=nonroot:nonroot app /app WORKDIR /app

Drop all capabilities

剥离所有权限

ENTRYPOINT ["python", "-m", "app"]

undefined

ENTRYPOINT ["python", "-m", "app"]

undefined

Harden Kubernetes Pod

加固Kubernetes Pod

yaml

securityContext:
  runAsNonRoot: true
  runAsUser: 65534
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: ["ALL"]

yaml

securityContext:
  runAsNonRoot: true
  runAsUser: 65534
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: ["ALL"]

Harden AWS S3 Bucket

加固AWS S3存储桶

hcl

resource "aws_s3_bucket_public_access_block" "secure" {
  bucket = aws_s3_bucket.data.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
  bucket = aws_s3_bucket.data.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
  }
}

hcl

resource "aws_s3_bucket_public_access_block" "secure" {
  bucket = aws_s3_bucket.data.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
  bucket = aws_s3_bucket.data.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
  }
}

Harden Network with Default Deny

默认拒绝策略加固网络

yaml

undefined

yaml

undefined

Kubernetes NetworkPolicy: deny all ingress

Kubernetes NetworkPolicy：拒绝所有入站流量

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: production spec: podSelector: {} policyTypes:

Ingress

undefined

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: production spec: podSelector: {} policyTypes:

Ingress

undefined

Harden Database Access

加固数据库访问

sql

-- PostgreSQL hardening
REVOKE ALL ON DATABASE app FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM PUBLIC;

CREATE ROLE app_user WITH LOGIN;
GRANT CONNECT ON DATABASE app TO app_user;
GRANT SELECT, INSERT, UPDATE ON app.orders TO app_user;

-- Force SSL connections
ALTER SYSTEM SET ssl = on;
-- In pg_hba.conf: hostssl all all 0.0.0.0/0 scram-sha-256

sql

-- PostgreSQL加固
REVOKE ALL ON DATABASE app FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM PUBLIC;

CREATE ROLE app_user WITH LOGIN;
GRANT CONNECT ON DATABASE app TO app_user;
GRANT SELECT, INSERT, UPDATE ON app.orders TO app_user;

-- 强制SSL连接
ALTER SYSTEM SET ssl = on;
-- 在pg_hba.conf中配置：hostssl all all 0.0.0.0/0 scram-sha-256

Detailed Hardening Guides

详细加固指南

For layer-specific hardening guidance:

OS hardening: See
```
references/linux-hardening.md
```
Container hardening: See
```
references/container-hardening.md
```
Cloud hardening: See
```
references/cloud-hardening.md
```
Network hardening: See
```
references/network-hardening.md
```
Database hardening: See
```
references/database-hardening.md
```

For automation scripts:

Python automation: See
```
scripts/harden-linux.py
```
Container host setup: See
```
scripts/harden-container-host.sh
```
Compliance reporting: See
```
scripts/generate-compliance-report.py
```
Infrastructure scanning: See
```
scripts/scan-infrastructure.sh
```

For working examples:

Linux configurations: See
```
examples/linux/
```
Kubernetes manifests: See
```
examples/kubernetes/
```
Terraform modules: See
```
examples/terraform/
```

各层级的具体加固指南：

操作系统加固： 参考
```
references/linux-hardening.md
```
容器加固： 参考
```
references/container-hardening.md
```
云加固： 参考
```
references/cloud-hardening.md
```
网络加固： 参考
```
references/network-hardening.md
```
数据库加固： 参考
```
references/database-hardening.md
```

自动化脚本：

Python自动化： 参考
```
scripts/harden-linux.py
```
容器主机配置： 参考
```
scripts/harden-container-host.sh
```
合规报告生成： 参考
```
scripts/generate-compliance-report.py
```
基础设施扫描： 参考
```
scripts/scan-infrastructure.sh
```

示例文件：

Linux配置： 参考
```
examples/linux/
```
Kubernetes清单： 参考
```
examples/kubernetes/
```
Terraform模块： 参考
```
examples/terraform/
```

Integration with Related Skills

与相关技能的集成

auth-security: Authentication and authorization patterns complement hardening
secret-management: Secure secrets handling is essential for hardening
kubernetes-operations: Pod security and RBAC hardening
infrastructure-as-code: Security scanning in IaC pipelines
building-ci-pipelines: Automated security scanning integration
observability: Security monitoring and alerting
compliance-frameworks: Mapping hardening to compliance requirements

auth-security： 认证与授权模式可补充加固工作
secret-management： 安全的密钥处理是加固的关键环节
kubernetes-operations： Pod安全与RBAC加固
infrastructure-as-code： IaC流水线中的安全扫描
building-ci-pipelines： 集成自动化安全扫描
observability： 安全监控与警报
compliance-frameworks： 加固措施与合规要求的映射

Anti-Patterns to Avoid

需避免的反模式

❌ Hardening only at deployment

Hardening is continuous; scan and verify regularly

❌ Applying all controls blindly

Prioritize based on risk and exposure

❌ No verification

Always verify hardening is applied and effective

❌ Security through obscurity

Obscurity is not security; use proven controls

❌ Hardening without testing

Test hardening changes don't break functionality

❌ Manual hardening at scale

Automate hardening for consistency and repeatability

❌ 仅在部署时加固

加固是持续过程；需定期扫描和验证

❌ 盲目应用所有控制项

根据风险和暴露程度确定优先级

❌ 不进行验证

始终要验证加固措施已正确应用且有效

❌ 通过模糊性实现安全

模糊性不等于安全；使用经过验证的控制措施

❌ 未测试就加固

测试加固变更不会破坏功能

❌ 大规模手动加固

自动化加固以确保一致性和可重复性

Getting Started

快速入门

Assess current posture: Run CIS benchmark scans
Prioritize: Internet-facing → sensitive data → internal
Apply baseline hardening: OS, container, cloud basics
Automate: Use scripts and IaC for consistency
Verify continuously: Integrate scanning into CI/CD
Monitor: Deploy runtime security monitoring
Iterate: Review and improve hardening regularly

For step-by-step implementation, start with

references/linux-hardening.md

references/container-hardening.md

based on infrastructure type.

评估当前状态： 运行CIS基准扫描
确定优先级： 面向互联网系统 → 含敏感数据系统 → 内部系统
应用基线加固： 操作系统、容器、云的基础加固
自动化： 使用脚本和IaC确保一致性
持续验证： 将扫描集成到CI/CD中
监控： 部署运行时安全监控
迭代： 定期审查和改进加固措施

如需分步实施，可根据基础设施类型从

references/linux-hardening.md

或

references/container-hardening.md

开始。