It’s generally good security practice to ensure that you’re running a secure kernel, and the best way to do so is by running a hardened Linux kernel.

It is important to understand that this will not guarantee a fully secure and bullet-proof kernel. However, it is more security-focused than the vanilla kernel, and has the addition of allowing the user to enable more hardening features. By default, the linux-hardened kernel on Arch Linux has security leaning defaults.

Laying the Ground Work

On Arch Linux, it’s as simple as:

# pacman -S linux-hardened linux-hardened-headers

Optionally (additionally) run mkinitcpio -p linux-hardened as root if this wasn’t already done automatically as part of the installation

The steps to boot to the hardened kernel will change based on your boot loader. Personally, I am using systemd-boot and will therefore start with that.

Boot Loader Configuration

systemd-boot

Create a new loader config will need to be created on top of your existing one in `/boot/loader/entries/**

Example

title Arch Linux (Hardened)
linux /vmlinuz-linux-hardened
initrd /initramfs-linux-hardened.img
options ...

The options line above will be specific to your system. This can be copied from existing, working loader configurations or such as the one described in Installing Arch Linux

Change the default or enable auto-entries to selectively boot from it in /boot/loader/loader.conf

grub

For grub, it should be as simple as running grub-mkconfig -o /boot/grub/grub.cfg (as root)

syslinux

Similar to systemd-boot, syslinux requires an additional entry in it’s configuration file, found at /boot/syslinux/syslinux.conf

Example

PROMPT 1
TIMEOUT 50
DEFAULT archhardened

LABEL archhardened
    LINUX ../vmlinuz-linux-hardened
    APPEND root=/dev/sda2 rw
    INITRD ../initramfs-linux-hardened.img

...

Note that the APPEND may differ from the example, same with options for systemd-boot

Finish Line

It’s that simple! There are additional system hardening steps one may opt to take such as:

.. and more!

On top of that, there are other tools one could leverage in addition to a hardened kernel, though that’s out-of-scope for this post. One example would be something as simple as disabling SSH password authentication (/etc/ssh/sshd_config):

..
PasswordAuthentication no
..

This will force requiring a public key added to the ~/.ssh/authorized_keys file for the user you are connecting as. See man ssh-copy-id for an easy way to do this prior to enabling this.