Wallpaper: https://www.reddit.com/user/alienpirate5/
A collection of shell scripts for hardened Arch Linux installation, configuration, and security enhancements. The aim is to make this repository a reliable and curated reference for Arch Linux hardened installation setups and configurations.
The encryption method used in the installation script is LVM on LUKS with encrypted boot partition (Full disk encryption (GRUB) for UEFI systems).
The script will prepare everything for you. No need to worry about partitioning or the encryption process. It will also configure GRUB to use the encryption keys. All you have to do is change the variable values according to your system, provide a password to encrypt the disk and specify the username and hostname. If you are using NVIDIA GPUs, the script will also install the appropriate drivers. 🙂
You will get a very clean, solid, and secure base installation.
First, download the Arch Linux ISO here.
Boot the media on the target device where you want to install Arch Linux.
If Git is not installed, you can install it with:
pacman -Sy git
Then, on the live system, do the following:
git clone https://github.com/schm1d/AwesomeArchLinux.git
cd AwesomeArchLinux/base
chmod +x *.sh
./archinstall.sh
Boot the media on the target device where you want to install Arch Linux.
Download the scripts on another machine and copy them to a removable media (e.g., USB drive).
To run the base scripts on your target machine, all you need to do is:
Copy both archinstall.sh and chroot.sh to the same directory on the live system.
Make them executable:
chmod +x archinstall.sh chroot.sh
Run archinstall.sh:
./archinstall.sh
/boot
partition.aes-xts-plain64
cipher with a 512-bit key and sha512
hash for secure encryption.pam_tally2.so
with pam_faillock.so
for account lockout policies./etc/pam.d/system-auth
).pam_pwquality.so
with strict settings in /etc/security/pwquality.conf
./etc/login.defs
.pam_faillock.so
./etc/login.defs
.iptables
to set default policies, allowing only necessary traffic.dccp
, sctp
, rds
, tipc
).NetworkManager
, ssh
, dhcpcd
, and ensures they are enabled securely.chrony
and ntpd
for reliable timekeeping.auditd
and downloads comprehensive audit rules to monitor system activities.fail2ban
to protect against unauthorized access attempts.sysstat
for system performance monitoring.slab_nomerge
, init_on_alloc=1
, pti=on
, and others to harden the kernel against attacks.nouveau
when installing NVIDIA drivers./etc/shadow
, /boot/grub/grub.cfg
, and others.UMASK
to 027
for more restrictive default file permissions.sshd_config
settings and restricted access via hosts.allow
and hosts.deny
.systemd-resolved
with secure DNS servers and enabling DNSSEC.arpwatch
to monitor for ARP spoofing attacks./etc/modprobe.d/disable-protocols.conf
.rkhunter
to detect rootkits and malware./etc/sudoers
with secure defaults, logging, and environment restrictions./etc/issue
to warn unauthorized users.gcc
, g++
, and clang
to the root user to prevent unauthorized code compilation.arch-audit
to detect vulnerable packages and sets up a daily scan using a systemd timer.DISK
, USERNAME
, HOSTNAME
, TIMEZONE
, and LOCALE
in the archinstall.sh
and chroot.sh
scripts to suit your setup.archinstall.sh
.SSH_PORT
variable in chroot.sh
to use a custom SSH port.Contributions are welcome! Feel free to submit issues or pull requests to improve the scripts, add new features, or enhance the documentation.
This project is licensed under the MIT License. See the LICENSE file for details.
Note: Arch Linux is a highly customizable, lightweight, and rolling-release distribution suitable for experienced users who want complete control over their system. These scripts aim to automate the installation and hardening process, but reviewing and understanding the configurations is essential to ensure they meet your security requirements.