bastian/debyl-site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CU-dgpgu9 Added markdownlint and fixed markdown

Browse Source
This commit is contained in:
Bastian de Byl
2020-10-09 20:37:26 -04:00
parent 858875a95e
commit 245111cbb9
17 changed files with 356 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
content/post/hardened_linux.md
View File

@@ -20,31 +20,37 @@ enable more hardening features. By default, the `linux-hardened` kernel on Arch
Linux has security leaning defaults.
# Laying the Ground Work
On Arch Linux, it's as simple as:
```
```text
# pacman -S linux-hardened linux-hardened-headers
```
_Optionally (additionally) run `mkinitcpio -p linux-hardened` as root if
this wasn't already done automatically as part of the installation_
<sub><i>Optionally (additionally) run `mkinitcpio -p linux-hardened` as root if
this wasn't already done automatically as part of the installation</i></sub>
The steps to boot to the hardened kernel will change based on your boot
loader. Personally, I am using
[`systemd-boot`](https://wiki.archlinux.org/index.php/Systemd-boot) and will
therefore start with that.
## Boot Loader Configuration
### **`systemd-boot`**
Create a new loader config will need to be created on top of your existing one
in `/boot/loader/entries/`
**Example**
#### Example Systemd-boot Entry
```apacheconf
title Arch Linux (Hardened)
linux /vmlinuz-linux-hardened
initrd /initramfs-linux-hardened.img
options ...
```
_The `options` line above will be specific to your system. This can be copied
from existing, working loader configurations or such as the one described in
[Installing Arch Linux](/post/archinstall/#set-up-linux-installation)_
@@ -53,14 +59,17 @@ Change the default **or** enable `auto-entries` to selectively boot from it in
`/boot/loader/loader.conf`
### **`grub`**
For grub, it should be as simple as running `grub-mkconfig -o
/boot/grub/grub.cfg` (_as root_)
### **`syslinux`**
Similar to `systemd-boot`, `syslinux` requires an additional entry in it's
configuration file, found at `/boot/syslinux/syslinux.conf`
**Example**
#### Example Syslinux Config
```apacheconf
PROMPT 1
TIMEOUT 50
@@ -73,10 +82,12 @@ LABEL archhardened
...
```
<sub>Note that the `APPEND` may differ from the example, same with `options`
for `systemd-boot`</sub>
# Finish Line
It's that simple! There are additional system hardening steps one may opt to
take such as:
@@ -90,6 +101,7 @@ On top of that, there are other tools one could leverage in addition to a
hardened kernel, though that's out-of-scope for this post. One example would be
something as simple as **disabling SSH password authentication**
(`/etc/ssh/sshd_config`):
```apacheconf
..
PasswordAuthentication no