Skip to content

Week 24 - Capstone Integration & Defense

24.1 Conceptual Core

The final week is integration, not new material. Bring your chosen capstone (see CAPSTONE_PROJECTS.md) to defensible quality.

24.2 Final Hardening Checklist

  • CIS benchmark (or lynis) score documented; top findings addressed.
  • LSM (SELinux or AppArmor) enforcing for any service touched.
  • All long-running services systemd-managed with full hardening directives.
  • auditd configured; ruleset documented.
  • LUKS (where applicable); TPM2 binding documented.
  • Sysctl baseline applied; deviations explained.
  • Boot is reproducible: same image → same hash, where applicable.
  • Observability: node_exporter, eBPF observability tools, log shipping.
  • Runbooks for: OOM, disk-full, network-down, runaway-CPU, broken-DNS.

24.3 Lab-"Defend the Host"

Schedule a 45-minute mock review with a peer. Walk through: the host's threat model, the capstone artifact, the observability story, and a live demo of triaging a fault. Defend every choice-cgroup policy, LSM type, sysctl values, auditd rules.

24.4 Performance Tuning Slice

  • Final pass: capture a 1-minute perf record -ag flamegraph of the capstone under representative load. Commit it. This is the resume artifact.

Month 6 Deliverable

The capstone artifact, plus an aggregated linux-mastery/ repo containing every prior month's deliverable.

Comments