You are responsible for a Linux host that runs several internal services and is accessed by engineers for administration and debugging. The machine stores service configuration, temporary credentials, and application logs, and it sits on a network segment that can reach other production systems. A recent review found inconsistent SSH settings, broad sudo access, and weak visibility into process and login activity.
What OS-level security questions would you ask first, and how would you use the answers to decide what to harden, what to monitor, and what would trigger an incident response? Be specific about the Linux controls you would expect to see and how you would verify them.