Why?

Hardening is a process that reduces the surface of vulnerability. It does not change the access controls or fixes any specific bugs but by hardening the kernel many forms of attacks can be prevented. Hardening can be achieved by disabling unnecessary services and daemons, closing all unnecessary ports, using more restrictive system rules and so on. The default hardened linux kernel for Arch uses more security-focused compile-time configuration options than the default linux kernel. For example it forbids access to kernel logs for certain users, the kernel has the ability to hide other users processes, uses an improved implementation of Address Space layout Randomization for userspace processes, …

And it is really simple to install.

6, 5, 4, … hardened kernel

1. Install the hardened kernel and hardened kernel headers

   $ sudo pacman -S linux-hardened linux-hardened-headers

2. Check if initramfs-linux-hardened.img and initramfs-linux-hardened-fallback.img exists.

   $ ls -lsha /boot

3. Recreate the ramdisk environment with the hardened kernel selected.

   $ mkinitcpio -p linux-hardened

4. Update the grub config.

   $ grub-mkconfig -o /boot/grub/grub.cfg

5. Optionally: Remove the default kernel. It is not needed as grub should automatically load the hardened kernel and you can choose between the default and the hardened kernel while booting.

   $ pacman -R linux linux-headers

6. Reboot

Troubleshooting

Virtualbox

The virtualbox-host-modules-arch are only compatible with the default linux kernel, but you can install the dkms version. First remove virtualbox $ pacman -R virtualbox virtualbox-host-modules-arch and then reinstall it but this time the dkms version $ pacman -S virtualbox virtualbox-host-dkms.

Links

• ArchWiki - Kernel hardening