From 59a68436f8c03f83a25c17381abec32d3d2c3fde Mon Sep 17 00:00:00 2001 From: Lightemerald Date: Sun, 7 Dec 2025 17:32:11 +0100 Subject: [PATCH] slight improvement and fix --- arch-hardening.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch-hardening.sh b/arch-hardening.sh index 051f8d7..ec304b2 100644 --- a/arch-hardening.sh +++ b/arch-hardening.sh @@ -14,6 +14,7 @@ EOL # [LOGG-2154] Ensure system log is configured to send logs to a remote log server sudo pacman -S --noconfirm --needed syslog-ng +sudo systemctl enable --now syslog-ng@default.service # [USB-3000] Ensure USBGUARD is installed and configured sudo pacman -S --noconfirm --needed usbguard @@ -60,9 +61,8 @@ sudo systemctl enable --now clamav-daemon # [FINT-4350] Install a file integrity tool sudo pacman -S --noconfirm --needed aide sudo aide --init -sudo aide --update -sudo systemctl enable --now aidecheck.timer sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +sudo systemctl enable --now aidecheck.timer # [FIRE-45XX] Firewall configuration # remove iptables if installed @@ -100,7 +100,7 @@ sudo tee /etc/sysctl.d/99-hardened.conf > /dev/null <<'EOL' kernel.randomize_va_space = 2 kernel.kptr_restrict = 2 kernel.unprivileged_bpf_disabled = 1 -kernel.modules_disabled = 1 +#kernel.modules_disabled = 1 # Uncomment to disable module loading entirely at your own risk kernel.sysrq = 0 kernel.core_uses_pid = 1 @@ -171,7 +171,7 @@ sudo mount -o remount /tmp # [FILE-6430] Disable mounting of some filesystems sudo tee /etc/modprobe.d/fs_blacklist.conf > /dev/null <