1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-22 09:31:34 -05:00

Improved Security

This commit is contained in:
TommyTran732 2021-04-14 21:13:06 -04:00 committed by tommytran732
parent c235122b23
commit b1e12ad632
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -146,7 +146,7 @@ sed -i -e 's,modconf block filesystems keyboard,keyboard keymap modconf block en
UUID=$(blkid $Cryptroot | cut -f2 -d'"') UUID=$(blkid $Cryptroot | cut -f2 -d'"')
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
sed -i -e "s,quiet,quiet cryptdevice=UUID=$UUID:cryptroot root=$BTRFS,g" /mnt/etc/default/grub sed -i -e "s,quiet,quiet cryptdevice=UUID=$UUID:cryptroot root=$BTRFS,g" /mnt/etc/default/grub
sed -i -e "s#root=/dev/mapper/cryptroot#oot=/dev/mapper/cryptroot lsm=lockdown,yama,apparmor,bpf#g" /mnt/etc/default/grub sed -i -e "s#root=/dev/mapper/cryptroot#root=/dev/mapper/cryptroot lsm=lockdown,yama,apparmor,bpf lockdown=confidentiality#g" /mnt/etc/default/grub
echo "" >> /mnt/etc/default/grub echo "" >> /mnt/etc/default/grub
echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" >> /mnt/etc/default/grub echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" >> /mnt/etc/default/grub
@ -210,5 +210,26 @@ sed -i 's/022/077/g' /etc/profile
echo "" >> /etc/bash.bashrc echo "" >> /etc/bash.bashrc
echo "umask 077" >> /etc/bash.bashrc echo "umask 077" >> /etc/bash.bashrc
#Security kernel settings
sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF'
kernel.dmesg_restrict = 1
EOF
sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF'
kernel.kptr_restrict = 2
EOF
sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF'
kernel.kexec_load_disabled = 1
EOF
sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF'
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
net.core.bpf_jit_harden = 2
kernel.yama.ptrace_scope = 3
module.sig_enforce = 1
EOF
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)." echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
exit exit