Skip Navigation
Hardening Arch Linux

  • I will describe settings that are not so easy to google and a few new thoughts.

    kptr restrict:

    https://wiki.archlinux.org/title/security

    https://lwn.net/Articles/420403/

    Kexec:

    You may google about mechanics, but basically, it is just a mechanism to 'reexec' your kernel to something different, usually another kernel, but you can boot netboot.xyz, for example.

    But now imagine that it will boot a kernel that will dump the output of all your traffic, or will dump all your keyboard keypresses (keylogger).

    These are unlikely scenarios. But I prefer to disable this feature since I don't use it anyway.

    Also, about keyloggers. Any program inside your X session may grab all your keyboard events. Literally last week I wrote a keylogger in rust in 70 lines of code. Therefore, use Wayland.

    Ebpf JIT:

    There I misleaded you.

    There is some new information about JIT and security. See https://youtu.be/kvt4wdXEuRU?si=3imn8PAEbvgjWTU3

    According to the update, you need to set bpf_jit_harden=2 and unprivileged_bpf_disabled=1. (Even unprivileged ebpf may crash your kernel. For some unknown reason, this is not recognized as a problem.)

    Randomize virtual memory address:

    https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR#:~:text=Address space layout randomization (ASLR) is a memory-protection,executables are loaded into memory.

    systemd

    If you use systemd your can use systemd-analyze tool to harden your units settings.

    Also, I remember the tool you can use.

    There are some security certifications - most used are pcidss or stig. There are guidelines to improve security.

    You can use openscap with a profile (pcidss or stig or both) and it will check if your system satisfies these guidelines.

    This may give you some thoughts.

    •
    Hardening Arch Linux

  • There are also some kernel settings that you may find useful. Currently I am on the mobile and cannot remember the names. Text me if you need help

    Network:

    Enable rp and arp filter

    Disable IP forwarding if you don't use docker

    Disable tcp timestamp

    Disable icmp broadcast

    Enable syncookies

    Enable source route checking

    Other:

    Enable hard and soft link protection (it is may broke your system, use carefully)

    Enable kptr restrict

    Disable kexec

    Disable sysrq

    Enable randomize virtual memory address

    Disable JIT for ebpf programms

    Disable loading drivers via modprobe in live kernel.

    Also check which hardware mitigations is disabled in your kernel. (Spectre, meltdawn) You may enable KASL

    Also use selinux or apparmor. I prefer Selinux.

    Enable auditd and configure it for auditing actions that your find useful.

    • InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)VA
    vatson112 @lemm.ee
    Posts 0
    Comments 2