Arch Linux Hardening - A Comprehensive Security Guide Arch Linux is a highly flexible and customizable operating system, known for its simplicity and control. However, with great flexibility comes great responsibility: users must be aware of the security aspects of their system. Below, we'll dive deep into a hardening script designed to make your Arch Linux setup more secure by automating various security measures. This script ensures your system meets the latest security standards and defends against a variety of threats. 1. Automatic Installation of yay (AUR Helper) The script begins by installing yay, an AUR helper (Arch User Repository). Yay simplifies the process of installing and managing software that isn’t available in the official Arch repositories but is hosted in the AUR. It's especially useful for retrieving and installing open-source software maintained by the community. If yay isn’t installed, it will be built from source to ensure access to all necessary packages. Why is this important? Many essential security tools and system utilities are available in the AUR. Yay ensures you can quickly and efficiently install them, streamlining system administration. 2. Installing the linux-hardened Kernel The default Linux kernel is suitable for general use, but it doesn’t always incorporate the latest security enhancements. The script installs the linux-hardened kernel, a security-optimized version of the standard Linux kernel. This kernel includes patches that harden the system and reduce potential attack surfaces. Why is this important? The kernel is the core of the operating system, and any vulnerabilities here can lead to a complete system compromise. The linux-hardened kernel reduces these risks with additional security features and improvements. 3. Enabling AppArmor and Optional Profiles AppArmor is a Mandatory Access Control (MAC) system that restricts applications on your system by confining them to a set of defined permissions. By using AppArmor, you ensure that programs can only access resources they need to operate, limiting the potential damage from a compromised application. The script enables AppArmor and installs additional security profiles from the AUR to further harden the system. Why is this important? AppArmor protects against attacks that exploit vulnerabilities in software. If an attacker gains access to an application, AppArmor prevents them from accessing the entire system, limiting the potential damage to just that application. 4. Configuring GRUB Boot Options for Better Isolation The script adjusts the GRUB boot options to enable additional security features. It adds kernel parameters like apparmor=1 and slab_nomerge to improve security and stability. These parameters enhance process isolation and protect against memory attacks. Why is this important? Booting with security-optimized parameters ensures the kernel is fully protected from the start. These parameters help guard against attacks that attempt to exploit memory vulnerabilities early in the system's boot process. 5. Installing and Enabling USBGuard USBGuard is a security tool that controls access to USB devices. The script creates a ruleset that only allows trusted USB devices and blocks all others. This reduces the risk of malware entering the system through compromised USB devices. Why is this important? USB devices are a common attack vector. They can carry malware or be used to exfiltrate data. USBGuard helps minimize this risk by ensuring only authorized devices are allowed to interact with the system. 6. Configuring a Simple nftables Firewall The script configures a basic firewall using nftables. By default, all incoming traffic is blocked except for essential ports (SSH on port 22, HTTP on port 80, and HTTPS on port 443). This basic firewall ensures that only trusted network traffic is allowed, protecting the system from unauthorized access. Why is this important? A firewall is a critical security tool that blocks unwanted connections. By allowing only trusted traffic, the firewall reduces the risk of external attacks targeting your system. 7. Applying Kernel Hardening via sysctl The script configures several security-related parameters in the sysctl configuration file. These parameters control things like access to kernel information and the randomization of memory addresses (Address Space Layout Randomization, or ASLR). Setting these parameters helps defend the system from known attack techniques. Why is this important? Tweaking these kernel parameters makes it harder for attackers to exploit vulnerabilities. Settings like kernel.kptr_restrict and kernel.randomize_va_space improve the security of the system by making it more difficult to predict memory layouts and execute arbitrary code. 8. Installing AIDE (Advanced Intrusion Detection Environment) AIDE is an intrusion detection system (IDS) that monitors changes to files. It creates a database of hashes for critical system files and periodically checks whether unauthorized modifications have been made. This allows you to detect and respond to system changes that could indicate a security breach. Why is this important? When an attacker gains access to a system, they often attempt to cover their tracks. AIDE helps detect these changes, allowing you to quickly take action to secure the system. 9. Installing ClamAV Antivirus ClamAV is an open-source antivirus tool designed specifically for Linux systems. It scans for malware and viruses that might be present on the system. The script installs ClamAV and ensures that the virus definition database is regularly updated. Why is this important? Although Linux is less susceptible to malware than other operating systems, it’s not immune. ClamAV helps detect and remove malware, ensuring the system remains secure from known threats. 10. Configuring DNS via dnscrypt-proxy The script sets up dnscrypt-proxy to encrypt DNS queries and ensure their integrity. It uses the LibreDNS server, which supports DNSSEC (DNS Security Extensions), ensuring that DNS queries aren’t tampered with. Why is this important? DNS queries are susceptible to Man-in-the-Middle (MitM) attacks, where attackers can intercept or modify them. By encrypting DNS queries with DNSSEC, the script ensures that the data remains unaltered and secure. 11. Installing hBlock to Block Tracking and Malware Domains The script installs hBlock, which blocks known tracking and malware domains by modifying the system’s /etc/hosts file. This prevents the system from contacting malicious servers or services that might compromise privacy or security. Why is this important? Tracking and malware domains can jeopardize privacy and infect the system with malicious software. Blocking these domains reduces exposure to such threats and helps protect the system from unwanted surveillance. 12. Activating the Audit Daemon (auditd) Auditd is a security tool that monitors system activity and logs events related to security. The script configures and activates auditd with specific rules to track changes to critical files and configurations. Why is this important? Monitoring security-relevant events and file changes allows you to quickly identify potential security incidents. Auditd ensures you have a clear record of what’s happening on your system, aiding in incident response and forensics.