From db155c2c6b91015d1c735290937d70ca8458fd0d Mon Sep 17 00:00:00 2001 From: TommyTran732 <57488583+tommytran732@users.noreply.github.com> Date: Thu, 15 Apr 2021 07:14:22 -0400 Subject: [PATCH 1/3] Some security settings from the Arch Wiki These would be nice to have out of the box, especially with ptrace completely disabled. --- easy-arch.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/easy-arch.sh b/easy-arch.sh index 5b8ac5a..a962715 100644 --- a/easy-arch.sh +++ b/easy-arch.sh @@ -190,6 +190,26 @@ arch-chroot /mnt /bin/bash -e < /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF' +kernel.dmesg_restrict = 1 +EOF + +sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF' +kernel.kptr_restrict = 2 +EOF + +sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF' +kernel.kexec_load_disabled = 1 +EOF + +sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF' +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 +net.core.bpf_jit_harden = 2 +kernel.yama.ptrace_scope = 3 +EOF + # Setting root password. echo "Setting root password." arch-chroot /mnt /bin/passwd From 3cbe6d664f21fcae32ac97197fcae734de916fe6 Mon Sep 17 00:00:00 2001 From: TommyTran732 <57488583+tommytran732@users.noreply.github.com> Date: Thu, 15 Apr 2021 07:17:56 -0400 Subject: [PATCH 2/3] Update easy-arch.sh --- easy-arch.sh | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/easy-arch.sh b/easy-arch.sh index a962715..75c2e74 100644 --- a/easy-arch.sh +++ b/easy-arch.sh @@ -187,27 +187,27 @@ arch-chroot /mnt /bin/bash -e </dev/null + + #Security kernel settings + sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF' + kernel.dmesg_restrict = 1 + EOF -EOF + sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF' + kernel.kptr_restrict = 2 + EOF -#Security kernel settings -sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF' -kernel.dmesg_restrict = 1 -EOF + sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF' + kernel.kexec_load_disabled = 1 + EOF -sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF' -kernel.kptr_restrict = 2 -EOF + sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF' + fs.protected_hardlinks = 1 + fs.protected_symlinks = 1 + net.core.bpf_jit_harden = 2 + kernel.yama.ptrace_scope = 3 + EOF -sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF' -kernel.kexec_load_disabled = 1 -EOF - -sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF' -fs.protected_hardlinks = 1 -fs.protected_symlinks = 1 -net.core.bpf_jit_harden = 2 -kernel.yama.ptrace_scope = 3 EOF # Setting root password. From 53944208c0cfc5ec3e811fc6281482d1a21584ee Mon Sep 17 00:00:00 2001 From: Tommaso Chiti Date: Fri, 16 Apr 2021 07:28:35 +0200 Subject: [PATCH 3/3] Update easy-arch.sh --- easy-arch.sh | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/easy-arch.sh b/easy-arch.sh index 75c2e74..48b6c92 100644 --- a/easy-arch.sh +++ b/easy-arch.sh @@ -189,24 +189,14 @@ arch-chroot /mnt /bin/bash -e </dev/null #Security kernel settings - sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF' - kernel.dmesg_restrict = 1 - EOF - - sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF' - kernel.kptr_restrict = 2 - EOF - - sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF' - kernel.kexec_load_disabled = 1 - EOF - - sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF' + echo "kernel.kptr_restrict = 2" > /etc/sysctl.d/51-kptr-restrict.conf + echo "kernel.kexec_load_disabled = 1" > /etc/sysctl.d/51-kexec-restrict.conf + echo << EOF >> /etc/sysctl.d/10-security.conf fs.protected_hardlinks = 1 fs.protected_symlinks = 1 net.core.bpf_jit_harden = 2 kernel.yama.ptrace_scope = 3 - EOF + EOF EOF