https://github.com/rhjddjdbc/arch-hardened
arch-hardening script
https://github.com/rhjddjdbc/arch-hardened
arch hardened hardening
Last synced: 3 months ago
JSON representation
arch-hardening script
- Host: GitHub
- URL: https://github.com/rhjddjdbc/arch-hardened
- Owner: rhjddjdbc
- License: agpl-3.0
- Created: 2025-06-25T06:43:29.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2026-01-21T09:47:08.000Z (5 months ago)
- Last Synced: 2026-04-16T12:41:26.412Z (3 months ago)
- Topics: arch, hardened, hardening
- Language: Shell
- Homepage:
- Size: 153 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Arch Linux Hardening Script
An **interactive, security-focused hardening script for Arch Linux**.
It applies modern, pragmatic system-hardening measures while allowing you to **selectively enable or disable features** during execution.
> **Do NOT run this script as root.**
> Run it as a normal user with `sudo` privileges.
---
## Key Principles
* Secure-by-default, but **interactive**
* Minimal magic, mostly transparent configuration
* Focus on **kernel, bootloader, syscall, filesystem, and network hardening**
* Uses **native Arch tooling** where possible
* Designed to be **auditable and reversible**
---
## Supported Systems
* Arch Linux / Arch-based distributions
* GRUB bootloader
* systemd
* `sudo` (optionally replaceable with `doas`)
---
## What This Script Does
### Always Enforced (No Prompt)
These are applied automatically once the script runs:
* Refuses to run as `root`
* Ensures `sudo` is installed
* Installs `yay` (AUR helper) if missing
* Applies **secure GRUB kernel parameters**:
* `slab_nomerge`
* `page_alloc.shuffle=1`
* `init_on_alloc=1`
* `init_on_free=1`
* `lockdown=confidentiality`
* `random.trust_cpu=off`
* `quiet loglevel=3`
* Secure default `umask 0077`
* Blacklists **rare / high-risk kernel modules**:
* Legacy filesystems (hfs, udf, minix, etc.)
* Rare networking protocols (dccp, sctp, rds, tipc, ax25, …)
* FireWire stack
* Reloads `sshd` if active
---
## Interactive Features (Y/n Prompts)
All of the following can be enabled or skipped interactively:
### Kernel & Boot Security
* Install **`linux-hardened`**
* Enable **AppArmor** and load profiles from `apparmor.d-git`
* Add AppArmor kernel boot parameters automatically
### Sysctl Hardening
Applies strong baseline hardening via `/etc/sysctl.d/`:
* Kernel info leak protection
* ASLR enforcement
* Core dump suppression
* BPF hardening
* Namespace restrictions
* FIFO / symlink / hardlink protection
* Network hardening (rp_filter, martian logging, no redirects)
* Disable kexec
* Disable SysRq
* Disable module loading after boot (`kernel.modules_disabled=1`)
* Optional **IPv6 privacy extensions** (temporary addresses)
### USB & Device Security
* Install and enable **USBGuard**
* Blocks unknown USB devices by default
* Requires explicit allow rules (recommended)
### Firewall & Networking
* Install and configure **nftables**
* Default DROP policy on INPUT and FORWARD
* Allows loopback, established connections, ICMP/ICMPv6
* Optional switch to **iptables-nft** compatibility layer
### Sandboxing & Isolation
* Install and enable **Firejail**
* Automatically runs `firecfg` to wrap supported apps
### Integrity & Malware Detection
* **AIDE** (File Integrity Monitoring)
* Database initialization
* Daily cron-based integrity check
* **ClamAV** (optional)
* Daily recursive scan via cron
### Privacy & Ads
* **hBlock**
* Hosts-file based ad / tracker / malware domain blocking
### Privilege Management
* Optional replacement of `sudo` with **`doas`**
* Includes safety checks before removing sudo
* Prevents lockout
### Packaging & Apps
* Optional **Flatpak** installation
* Adds **Flathub** repository if missing
### Anonymity (Optional)
* Install **torctl**
* System-wide Tor routing (effective after reboot)
---
## Usage
```bash
git clone https://github.com/yourusername/arch-hardening.git
cd arch-hardening
chmod +x arch-hardening.sh
./arch-hardening.sh
```
Follow the interactive prompts.
Press **Enter** to accept the recommended defaults.
---
## Reboot Required
Many changes (kernel, GRUB, AppArmor, sysctl, USBGuard) require a **reboot**.
The script will ask before rebooting.
---
## Security Notes & Warnings
* `kernel.modules_disabled=1` **prevents loading kernel modules after boot**
* Make sure all required drivers are loaded early
* USBGuard will block **all unknown USB devices**
* You must explicitly allow keyboards, mice, webcams, etc.
* Replacing `sudo` with `doas` is safe **only if tested**
* Firewall rules are intentionally minimal — expand as needed
---
## License
AGPL-3.0
---