Enhance security - Sawangg/dotfiles GitHub Wiki
AppArmor
AppArmor is a Mandatory Access Control (MAC) system, implemented upon the Linux Security Modules (LSM).
doas pacman -S apparmor apparmor-dinit
doas dinitctl enable apparmor # The service will fail to start
[!NOTE] SELinux can offer even more security but is way harder to configure on Artix as it requires pulling base packages from the AUR. For my use-case, AppArmor is enough on the desktop.
Configure the kernel
Now that AppArmor is installed, we need to add the following kernel parameters to our bootloader config. I'm using GRUB so I appended the following in /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT=".... lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
Don't forget to update your bootloader with
doas update-grub
You can now reboot and check if AppArmor is enabled and loaded
aa-enabled
Firewall
I assume you know what a firewall is all about so we're going to install one called nftables. We're also going to use the iptables-nft package to convert existing iptables and uninstall it as well as provide a compatibility layer for things like Docker that use legacy iptables
# The package iptables-nft uninstall iptables and install nftables
doas pacman -S iptables-nft nftables-dinit
Edit /etc/nftables.conf to add our custom firewall rules
#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
# tcp dport ssh accept comment "allow sshd"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
}
chain output {
type filter hook output priority filter
}
}
You can now enable the service
doas dinitctl enable nftables
You can now see the rules used currently
doas nft list ruleset
Make Docker work
//TODO
Runtime kernel parameters
We already installed the hardened version of the Linux kernel so we just have to tweak a few network kernel parameters
doas mkdir /etc/sysctl.d/
doas vim /etc/sysctl.d/99-network.conf
Add this config
# Do not act as a router
net.ipv4.ip_forward = 0
# SYN flood protection
net.ipv4.tcp_syncookies = 1
# Disable ICMP redirect
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Finally apply your changes by running
doas sysctl --system
Disable ipv6
If you want to disable ipv6 you can do so by creating the file /etc/sysctl.d/40-ipv6.conf and add this config
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
Don't forget to reload your config
You also need to edit your dhcpcd config located at /etc/dhcpcd.conf
# Disable IPv6
noipv6rs
noipv6
You can check that you don't have any ipv6 left in your interfaces
ip -c addr
You can now test pinging something with ipv6. It should fail!
ping -6 wiki.archlinux.org
MAC Address Spoofing
The MAC address of an interface is a unique identifier that can be used to track us. We're going to randomize it every time we connect to a Wifi network. I'm using iwd, first create the /etc/iwd repository. Next, simply add this in the config
[General]
AddressRandomization=network
AddressRandomizationRange=full
Ref: (https://wiki.archlinux.org/title/MAC_address_spoofing#iwd)
DHCP Lease Issue
If we're using dhcpcd, we need to edit /etc/dhcpcd.conf and change duid to clientid.
Ref: https://wiki.archlinux.org/title/Dhcpcd#Client_ID