An open API service indexing awesome lists of open source software.

https://github.com/rhjddjdbc/arch-hardened

arch-hardening script
https://github.com/rhjddjdbc/arch-hardened

arch hardened hardening

Last synced: 3 months ago
JSON representation

arch-hardening script

Awesome Lists containing this project

README

          

# Arch Linux Hardening Script

An **interactive, security-focused hardening script for Arch Linux**.
It applies modern, pragmatic system-hardening measures while allowing you to **selectively enable or disable features** during execution.

> **Do NOT run this script as root.**
> Run it as a normal user with `sudo` privileges.

---

## Key Principles

* Secure-by-default, but **interactive**
* Minimal magic, mostly transparent configuration
* Focus on **kernel, bootloader, syscall, filesystem, and network hardening**
* Uses **native Arch tooling** where possible
* Designed to be **auditable and reversible**

---

## Supported Systems

* Arch Linux / Arch-based distributions
* GRUB bootloader
* systemd
* `sudo` (optionally replaceable with `doas`)

---

## What This Script Does

### Always Enforced (No Prompt)

These are applied automatically once the script runs:

* Refuses to run as `root`
* Ensures `sudo` is installed
* Installs `yay` (AUR helper) if missing
* Applies **secure GRUB kernel parameters**:

* `slab_nomerge`
* `page_alloc.shuffle=1`
* `init_on_alloc=1`
* `init_on_free=1`
* `lockdown=confidentiality`
* `random.trust_cpu=off`
* `quiet loglevel=3`
* Secure default `umask 0077`
* Blacklists **rare / high-risk kernel modules**:

* Legacy filesystems (hfs, udf, minix, etc.)
* Rare networking protocols (dccp, sctp, rds, tipc, ax25, …)
* FireWire stack
* Reloads `sshd` if active

---

## Interactive Features (Y/n Prompts)

All of the following can be enabled or skipped interactively:

### Kernel & Boot Security

* Install **`linux-hardened`**
* Enable **AppArmor** and load profiles from `apparmor.d-git`
* Add AppArmor kernel boot parameters automatically

### Sysctl Hardening

Applies strong baseline hardening via `/etc/sysctl.d/`:

* Kernel info leak protection
* ASLR enforcement
* Core dump suppression
* BPF hardening
* Namespace restrictions
* FIFO / symlink / hardlink protection
* Network hardening (rp_filter, martian logging, no redirects)
* Disable kexec
* Disable SysRq
* Disable module loading after boot (`kernel.modules_disabled=1`)
* Optional **IPv6 privacy extensions** (temporary addresses)

### USB & Device Security

* Install and enable **USBGuard**

* Blocks unknown USB devices by default
* Requires explicit allow rules (recommended)

### Firewall & Networking

* Install and configure **nftables**

* Default DROP policy on INPUT and FORWARD
* Allows loopback, established connections, ICMP/ICMPv6
* Optional switch to **iptables-nft** compatibility layer

### Sandboxing & Isolation

* Install and enable **Firejail**

* Automatically runs `firecfg` to wrap supported apps

### Integrity & Malware Detection

* **AIDE** (File Integrity Monitoring)

* Database initialization
* Daily cron-based integrity check
* **ClamAV** (optional)

* Daily recursive scan via cron

### Privacy & Ads

* **hBlock**

* Hosts-file based ad / tracker / malware domain blocking

### Privilege Management

* Optional replacement of `sudo` with **`doas`**

* Includes safety checks before removing sudo
* Prevents lockout

### Packaging & Apps

* Optional **Flatpak** installation
* Adds **Flathub** repository if missing

### Anonymity (Optional)

* Install **torctl**

* System-wide Tor routing (effective after reboot)

---

## Usage

```bash
git clone https://github.com/yourusername/arch-hardening.git
cd arch-hardening
chmod +x arch-hardening.sh
./arch-hardening.sh
```

Follow the interactive prompts.
Press **Enter** to accept the recommended defaults.

---

## Reboot Required

Many changes (kernel, GRUB, AppArmor, sysctl, USBGuard) require a **reboot**.
The script will ask before rebooting.

---

## Security Notes & Warnings

* `kernel.modules_disabled=1` **prevents loading kernel modules after boot**

* Make sure all required drivers are loaded early
* USBGuard will block **all unknown USB devices**

* You must explicitly allow keyboards, mice, webcams, etc.
* Replacing `sudo` with `doas` is safe **only if tested**
* Firewall rules are intentionally minimal — expand as needed

---

## License

AGPL-3.0

---