A55 Smoothing Plane
Articles Forums Gallery Marketplace Videos

Hardening CachyOS

by

Here’s a CachyOS minimal-hardening security script and checklist you can apply immediately. It’s designed to keep the system fast, secure, and minimal, without installing unnecessary antivirus software. Either delete or use the comment character (#) to preface any lines you do not want to execute–similar to the existing comments.

You can save this as cachyos-security.sh and run it with sudo bash cachyos-security.sh.

#!/bin/bash
# CachyOS Minimal Security Hardening Script
# Applies firewall, service hardening, updates, and optional sandboxing
# WARNING: Review before running; adjust services as needed.

echo "=== CachyOS Security Hardening Script ==="

# -------------------------------
# 1. Update system
# -------------------------------
echo "[*] Updating CachyOS / Arch packages..."
pacman -Syu --noconfirm

# -------------------------------
# 2. Install and configure firewall
# -------------------------------
echo "[*] Installing UFW firewall..."
pacman -S --noconfirm ufw
systemctl enable --now ufw
ufw default deny incoming
ufw default allow outgoing
ufw enable

# -------------------------------
# 3. Disable unnecessary services
# -------------------------------
echo "[*] Disabling unused services..."
SERVICES=("bluetooth" "cups" "avahi-daemon" "ssh") # adjust SSH if needed
for svc in "${SERVICES[@]}"; do
    systemctl disable --now $svc
done

# -------------------------------
# 4. Enable AppArmor (optional)
# -------------------------------
echo "[*] Installing AppArmor..."
pacman -S --noconfirm apparmor
systemctl enable --now apparmor

# -------------------------------
# 5. Browser advice (manual step)
# -------------------------------
echo "[!] Recommended browser steps:"
echo "  - Firefox: uBlock Origin + HTTPS-Only Mode + Arkenfox user.js"
echo "  - Chromium: uBlock Origin, disable remote debugging, avoid unknown extensions"
echo "  - Avoid running random scripts from unknown websites"
echo

# -------------------------------
# 6. SSH hardening (if used)
# -------------------------------
SSH_CONFIG="/etc/ssh/sshd_config"
if systemctl is-active --quiet sshd; then
    echo "[!] Hardening SSH..."
    sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' $SSH_CONFIG
    sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' $SSH_CONFIG
    systemctl restart sshd
    echo "  - SSH now key-only and root login disabled"
fi

# -------------------------------
# 7. Optional systemd sandboxing example
# -------------------------------
echo "[!] Example sandboxing:"
echo "  systemd-run --user --property=PrivateNetwork=yes --property=ProtectHome=yes <app>"

# -------------------------------
# 8. Cleanup
# -------------------------------
echo "[*] Cleanup complete. Review browser, AUR, and manual steps."
echo "[*] Security hardening finished!"

Manual Checklist for CachyOS

  1. Firewall: Enabled (UFW) with default deny incoming.
  2. Services: Disable Bluetooth, CUPS, Avahi, SSH (unless used).
  3. AppArmor: Enabled for extra sandboxing.
  4. Browser:
    • Firefox: uBlock Origin, HTTPS-Only, Arkenfox user.js
    • Chromium: uBlock Origin, disable remote debugging
  5. AUR: Only install trusted/popular packages. Avoid random scripts.
  6. Updates: Regular sudo pacman -Syu.
  7. SSH: Use keys, no password login, disable root login.
  8. Sandboxing optional: systemd-run --property=... for risky apps.

Leave a Comment

Licensed under CC BY-NC 4.0

DevOps viewpoints are those of its owner. You may share and adapt this article for non-commercial purposes, provided proper attribution is given. Attribution should include:

Title: Hardening CachyOS
Author: peter arthur martin
Original URL: https://www.woodcentral.com/-/peter/hardening-cachyos/
License: CC BY-NC 4.0

Site Index

👍 This page answered my questions

Your vote helps other woodworkers quickly find the answers and techniques that actually work in the shop.