blob: 22a0c53ec7a382b3cdb0030f2f7ba9ae34ae57fe (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# Security and Hardening Recommendations for archsetup
These recommendations come from the install-archzfs base install.
The base system is minimal - archsetup should handle hardening.
## SSH Hardening (Priority: High)
If SSH was enabled during install (for headless servers), it uses password auth.
archsetup should:
1. Install and configure fail2ban
- pacman -S fail2ban
- Enable sshd jail
- Configure ban times (suggested: 10m first offense, escalating)
- Consider integration with firewalld/nftables
2. Switch to key-based authentication
- Prompt user for SSH public key or generate keypair
- Disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
PermitRootLogin prohibit-password (or 'no' for desktop)
3. Consider changing default SSH port (optional, security through obscurity)
## Firewall (Priority: High)
Base install has no firewall configured. Options:
1. firewalld (recommended for most users)
- pacman -S firewalld
- systemctl enable --now firewalld
- Default zone should block incoming except SSH
2. nftables (for advanced users)
- Already installed as iptables backend
- Needs manual configuration
3. ufw (simpler alternative)
- pacman -S ufw
- Good for users coming from Ubuntu
## ZFS-Specific Recommendations
1. Sanoid/Syncoid for automated snapshots
- pacman -S sanoid
- Configure /etc/sanoid/sanoid.conf for automatic snapshot retention
- Suggested policy: hourly for 24h, daily for 7d, monthly for 12m
2. ZFS scrub timer
- systemctl enable zfs-scrub-weekly.timer
- Or create monthly timer for large pools
3. ZED (ZFS Event Daemon) email alerts
- Configure /etc/zfs/zed.d/zed.rc
- Set ZED_EMAIL_ADDR for pool health notifications
4. Consider zfs-auto-snapshot as alternative to sanoid
## User Account Setup
Base install only has root. archsetup should:
1. Create primary user account with sudo access
2. Lock root account for direct login (sudo only)
3. Configure sudo timeout and logging
## Package Manager Hardening
1. Enable pacman hooks for security
- Verify package signatures (already default)
2. Consider enabling reflector timer
- Keeps mirrorlist updated with fastest/most recent mirrors
3. Install pacman-contrib for paccache
- Configure paccache.timer to clean old package cache
## Automatic Updates (Optional)
For servers that need unattended security updates:
- Consider pacman-auto-update or similar
- ZFS pre-pacman snapshots (already in install-archzfs) make this safer
## AppArmor/SELinux (Optional, Advanced)
For high-security environments:
- AppArmor is easier: pacman -S apparmor
- Requires kernel parameter: lsm=apparmor
## Misc Recommendations
1. Install and enable systemd-timesyncd or chrony for NTP
2. Configure journald retention
- /etc/systemd/journald.conf
- SystemMaxUse=500M (or appropriate for system)
3. Disable core dumps for security (optional)
- /etc/security/limits.conf: * hard core 0
4. Install lynis for security auditing
- pacman -S lynis
- Run: lynis audit system
## Desktop-Specific (if applicable)
1. Consider firejail for sandboxing applications
2. Install a password manager (pass, keepassxc)
3. Configure automatic screen lock
## Server-Specific (if applicable)
1. Install and configure logwatch or logrotate
2. Consider setting up centralized logging
3. Install monitoring (prometheus node_exporter, netdata, etc.)
---
Generated by install-archzfs build system
These are recommendations - implement based on your security requirements.
|
