It’s generally good security practice to ensure that you’re running a secure kernel, and the best way to do so is by running a hardened Linux kernel.
It is important to understand that this will not guarantee a fully secure and
bullet-proof kernel. However, it is more security-focused than the vanilla
kernel, and has the addition of allowing the user to
enable more hardening features. By default, the
linux-hardened kernel on Arch
Linux has security leaning defaults.
Laying the Ground Work
On Arch Linux, it’s as simple as:
# pacman -S linux-hardened linux-hardened-headers
Optionally (additionally) run
mkinitcpio -p linux-hardened as root if
this wasn’t already done automatically as part of the installation
The steps to boot to the hardened kernel will change based on your boot
loader. Personally, I am using
systemd-boot and will
therefore start with that.
Boot Loader Configuration
Create a new loader config will need to be created on top of your existing one in `/boot/loader/entries/**
title Arch Linux (Hardened) linux /vmlinuz-linux-hardened initrd /initramfs-linux-hardened.img options ...
options line above will be specific to your system. This can be copied
from existing, working loader configurations or such as the one described in
Installing Arch Linux
Change the default or enable
auto-entries to selectively boot from it in
For grub, it should be as simple as running
/boot/grub/grub.cfg (as root)
syslinux requires an additional entry in it’s
configuration file, found at
PROMPT 1 TIMEOUT 50 DEFAULT archhardened LABEL archhardened LINUX ../vmlinuz-linux-hardened APPEND root=/dev/sda2 rw INITRD ../initramfs-linux-hardened.img ...
Note that the
APPEND may differ from the example, same with
It’s that simple! There are additional system hardening steps one may opt to take such as:
.. and more!
On top of that, there are other tools one could leverage in addition to a
hardened kernel, though that’s out-of-scope for this post. One example would be
something as simple as disabling SSH password authentication
.. PasswordAuthentication no ..
This will force requiring a public key added to the
file for the user you are connecting as. See
man ssh-copy-id for an easy way
to do this prior to enabling this.
Author Bastian de Byl