Some security settings from the Arch Wiki

These would be nice to have out of the box, especially with ptrace completely disabled.
2025-11-17 19:40:55 +00:00 · 2021-04-15 07:14:22 -04:00 · 2021-04-15 07:14:22 -04:00 · db155c2c6b
commit db155c2c6b
parent a4d515776d
1 changed files with 20 additions and 0 deletions
--- a/easy-arch.sh
+++ b/easy-arch.sh
@ -190,6 +190,26 @@ arch-chroot /mnt /bin/bash -e <<EOF

 EOF

+#Security kernel settings
+sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF'
+kernel.dmesg_restrict = 1
+EOF
+
+sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF'
+kernel.kptr_restrict = 2
+EOF
+
+sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF'
+kernel.kexec_load_disabled = 1
+EOF
+
+sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF'
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+net.core.bpf_jit_harden = 2
+kernel.yama.ptrace_scope = 3
+EOF
+
 # Setting root password.
 echo "Setting root password."
 arch-chroot /mnt /bin/passwd