Adding a few more hardening settings

arch-hardening.sh

@@ -22,6 +22,10 @@ sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
 sudo sed -i 's/^PresentControllerPolicy=.*/PresentControllerPolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf
 sudo systemctl enable --now usbguard
 
+# [NETW-3032] Checking for ARP monitoring software
+sudo pacman -S --noconfirm --needed arpwatch
+sudo systemctl enable --now arpwatch
+
 # [NETW-3200] Disable unused network protocols
 sudo tee /etc/modprobe.d/network-protocols-disable.conf > /dev/null <<EOL
 # Disable unnecessary network protocols to reduce attack surface
@@ -79,9 +83,21 @@ EOL
 
 # [TOOL-5190] Ensure IDS/IPS tools are installed
 sudo pacman -S --noconfirm --needed snort
+sudo systemctl enable --now snort
 
 # [KRNL-5820] Disable core dumps
-sudo mkdir /etc/security/limits.d/
+
+# Disable coredump handling in systemd's coredump configuration and mask units
+sudo mkdir -p /etc/systemd/coredump.conf.d
+sudo tee /etc/systemd/coredump.conf.d/99-disable-coredumps.conf > /dev/null <<'EOL'
+[Coredump]
+# Prevent any core file data being stored and limit accepted size to 0
+ProcessSizeMax=0
+Storage=none
+EOL
+sudo systemctl daemon-reload
+
+sudo mkdir -p /etc/security/limits.d/
 sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
 # Disable core dumps for ALL users
 # The format is: <domain> <type> <item> <value>
@@ -254,6 +270,34 @@ sudo chmod 700 /etc/cron.hourly
 sudo pacman -S --noconfirm --needed rng-tools
 sudo systemctl enable --now rngd
 
+# [CRYP-8005] Presence of software pseudo random number generator
+sudo pacman -S --noconfirm --needed haveged
+sudo systemctl enable --now haveged
+
+# [CRYP-8006] Ensure MemoryOverwriteRequest-bit set
+sudo tee /usr/lib/systemd/system-shutdown/mor-bit-wipe.sh > /dev/null <<'EOL'
+#!/bin/bash
+
+# Path to the MemoryOverwriteRequestControl UEFI variable
+MOR_VAR_PATH="/sys/firmware/efi/efivars/MemoryOverwriteRequestControl-e20939be-32d4-41be-a150-897f85d49829"
+
+# Check if the UEFI variable path exists
+if [ -e "$MOR_VAR_PATH" ]; then
+    # The expected format is: Attributes (4 bytes) + Value (1 byte for MOR state)
+    # We need to write 5 bytes in total: 0x07 0x00 0x00 0x00 (Attributes) + 0x01 (MOR-bit set)
+
+    # Use printf to create the necessary 5-byte data and write it to the variable
+    # 0x01 means MOR is SET (request memory wipe)
+    printf "\x07\x00\x00\x00\x01" | dd of="$MOR_VAR_PATH" bs=5 count=1 conv=notrunc >/dev/null 2>&1
+
+    # Log the action (optional, for debugging/audit logs)
+    echo "$(date) - Successfully set MOR-bit (MemoryOverwriteRequestControl) for next boot memory wipe." >> /var/log/mor-wipe.log
+fi
+
+exit 0
+EOL
+sudo chmod +x /usr/lib/systemd/system-shutdown/mor-bit-wipe.sh
+
 # [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000
 sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
 sudo sed -i 's/^#SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
@@ -286,6 +330,13 @@ else
     echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
 fi
 
+# [AUTH-9408] Logging of failed login attempts is enabled
+if sudo grep FAILLOG_ENAB /etc/login.defs; then
+    sudo sed -i 's/^FAILLOG_ENAB .*/FAILLOG_ENAB yes/' /etc/login.defs
+else
+    echo 'FAILLOG_ENAB yes' | sudo tee -a /etc/login.defs > /dev/null
+fi
+
 # [ACCT-9622] Enable process accounting
 sudo pacman -S --noconfirm --needed acct
 sudo systemctl enable --now acct