This is a personal repository of shell scripts and configuration files for various Linux installations, which harden and up various aspects of the security for those systems. This repository will include scripts for system hardening & for other tools which warrant it.
This is not an exhaustive listing of all the security configurations used at any given time, as more tunings are made depending on the installation.
Simply give execution permissions & run the shell script with the select configuration, located at the root directory of the repository:
cd linux-security
chmod +x $(pwd)/security.sh
$(pwd)/security.shRun the shell script that sets the desired configuration and reboot the computer after a successful run. Always vet the commands run by shell scripts downloaded from the internet and non-official repositories before running them.
The scripts are meant to be set-and-forget, and as such minimal interaction is necessary.
Security information was gathered from a range of sources, mainly:
-
Kicksecure Security and GrapheneOS Infrastructure Repositories; Wiki and User Forums:
-
Privacy Guides' and PrivSec Hardening Guides (Madaidan's Insecurities referenced, but it is outdated):
-
Arch Linux Wiki Security Section
Rapidly updating OS with Secure Boot support and large backing, but hardened against breakage, which means either:
- BTRFS root, with snapper and grub2-btrfs packages installed
- Immutable Operating Systems, with rapid updating model
Heavy referencing of ChromeOS' design decisions was made in order to choose hardening flags.
- Kernel Lockdown in Confidentiality Mode (lockdown=confidentiality)
- Disables kexec, bpf, debugfs, enforces Kernel Module signing with Secure Boot.
[...] (More to be written in the future)