From db155c2c6b91015d1c735290937d70ca8458fd0d Mon Sep 17 00:00:00 2001
From: TommyTran732 <57488583+tommytran732@users.noreply.github.com>
Date: Thu, 15 Apr 2021 07:14:22 -0400
Subject: [PATCH] Some security settings from the Arch Wiki

These would be nice to have out of the box, especially with ptrace completely disabled.
---
 easy-arch.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/easy-arch.sh b/easy-arch.sh
index 5b8ac5a..a962715 100644
--- a/easy-arch.sh
+++ b/easy-arch.sh
@@ -190,6 +190,26 @@ arch-chroot /mnt /bin/bash -e <<EOF
 
 EOF
 
+#Security kernel settings
+sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF'
+kernel.dmesg_restrict = 1
+EOF
+
+sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF'
+kernel.kptr_restrict = 2
+EOF
+
+sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF'
+kernel.kexec_load_disabled = 1
+EOF
+
+sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF'
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+net.core.bpf_jit_harden = 2
+kernel.yama.ptrace_scope = 3
+EOF
+
 # Setting root password.
 echo "Setting root password."
 arch-chroot /mnt /bin/passwd