Security hardening for Fedora 39 on AMD Framework Laptop

So, you’ve got your AMD Framework laptop. Its sleek, shiny, and new, you’re excited to install an operating system onto it. You had heard that Fedora 39 had just released, and the new Framework firmware update has fixes that address Linux concerns. You’re looking to give Linux a shot, and you want some solid security recommendations to get you going. Look no further than the guide that I had created!

Post install of the recently released Fedora Linux 39, why not run through some basic operating system hardening steps to secure your digital life!

I’ve written a guide on my recommended steps to take for the average user running a fresh install of Fedora. Walk through these steps, and experience your new Framework system a tad bit more securely. :smile: I’ve uploaded it to this Google Drive location here.

Make sure that you are on the latest firmware, if not, run through the BIOS update instructions for your brand new AMD Framework 13 laptop.

Regular updates to this guide will be located on the “Work” section of my portfolio:

Thank you for visiting!

1 Like

A github open project would have been fantastic with possibility for the community to improve your guide !


Fedora includes the OpenScap tools and hardening baselines for CIS/DSIG etc and Red Hat actively works in this space to keep this up to date - Guide to the Secure Configuration of Fedora | OpenSCAP Security Guide

This is as simple as running them through to generate report which will provide ansible, bash or xml fixup scripts and you can use ansible to automatically remediate this with some flags when run.

i.e Automate STIG Compliance Server Hardening with OpenSCAP and Ansible | by (λx.x)eranga | effectz.AI | Medium

Perhaps contributing your rules to NIST Openscap profiles would be a good way to contribute back, although you are also setting up things like honeypots etc which kind of go beyond securing and into more ‘active’ security

1 Like

I did not know that GitHub can be used for such! Here I am, thinking that it is exclusively used for code. The way that I had created this is very similar to what you would find in a report in a university; which is what I am used to doing.

Altought that does sound like a good idea, I view this as a sort-of personal project of mine. It was also a great way for me to get more accustomed with security on Linux, something I should grow to become more akin to. Even if it was published to GitHub with open collaboration, I assume I cannot have the final say on the results of the project? (such as formatting, I am a total snob for formatting).

Thank you for your comment, I hope you enjoy my work either way!


Thank you for bringing up this resource! OpenScap is tool that I was not aware of. At first glance, this appears as a very in-depth tool for system hardening.

This is something I will have to look in to! I always have believed that you should leave all things better than how you have found them. So, if I can contribute to open source initiatives such as this, I would like to learn how. That’s the thing; I just need to learn the how, with the time that I have.

If this is in reference to my other work, thank you for checking it out!

I appreciate the feedback.

Please be aware that 1) Many STIG rules are of dubious benefit, and 2) FIPS140-2 encyrption is actually weaker than what ships with Fedora by default. If you are a sysadmin or intend to follow one of these guides I recommend you read the STIG carefully and draw your own conclusions as to what to implement. Following them blindly can often result in a broken and unusable system.


100% agree. A single security solution can not fit every situation. Every sysadmin should be aware of the purpose of the information system they administrate. Of course, with the authorization from the Cybersecurity department :wink: Ultimately, security should fit around the needs in the organization without impeding too much on accessibility.

1 Like

Publishing something to GitHub doesn’t mean that others can automatically contribute to your project. It’s up to you how you set that up. And yes, you absolutely can, and should review every contribution, before merging it in.

Formatting can be done using GitHub’s flavor of Markdown, documented, e.g., here.


I use a private GitHub repo to share family disaster-planning info with my wife.

1 Like

Seconding @jwp

openscap is a defacto tooling to analyze configuration and suggest tuning to improve host based security.

1 Like

Interesting use case… !