{"id":1460,"date":"2025-12-09T19:47:56","date_gmt":"2025-12-09T19:47:56","guid":{"rendered":"https:\/\/www.woodcentral.com\/-\/peter\/?p=1460"},"modified":"2026-06-05T09:47:51","modified_gmt":"2026-06-05T09:47:51","slug":"hardening-cachyos","status":"publish","type":"post","link":"https:\/\/www.woodcentral.com\/-\/peter\/hardening-cachyos\/","title":{"rendered":"Hardening CachyOS"},"content":{"rendered":"\n

Here\u2019s a CachyOS minimal-hardening security script and checklist<\/strong> you can apply immediately. It\u2019s designed to keep the system fast, secure, and minimal, without installing unnecessary antivirus software. Either delete or use the comment character (#) to preface any lines you do not want to execute–similar to the existing comments.<\/p>\n\n\n\n

You can save this as cachyos-security.sh<\/code> and run it with sudo bash cachyos-security.sh<\/code>.<\/p>\n\n\n\n

\n\n\n\n
#!\/bin\/bash\n# CachyOS Minimal Security Hardening Script\n# Applies firewall, service hardening, updates, and optional sandboxing\n# WARNING: Review before running; adjust services as needed.\n\necho \"=== CachyOS Security Hardening Script ===\"\n\n# -------------------------------\n# 1. Update system\n# -------------------------------\necho \"[*] Updating CachyOS \/ Arch packages...\"\npacman -Syu --noconfirm\n\n# -------------------------------\n# 2. Install and configure firewall\n# -------------------------------\necho \"[*] Installing UFW firewall...\"\npacman -S --noconfirm ufw\nsystemctl enable --now ufw\nufw default deny incoming\nufw default allow outgoing\nufw enable\n\n# -------------------------------\n# 3. Disable unnecessary services\n# -------------------------------\necho \"[*] Disabling unused services...\"\nSERVICES=(\"bluetooth\" \"cups\" \"avahi-daemon\" \"ssh\") # adjust SSH if needed\nfor svc in \"${SERVICES[@]}\"; do\n    systemctl disable --now $svc\ndone\n\n# -------------------------------\n# 4. Enable AppArmor (optional)\n# -------------------------------\necho \"[*] Installing AppArmor...\"\npacman -S --noconfirm apparmor\nsystemctl enable --now apparmor\n\n# -------------------------------\n# 5. Browser advice (manual step)\n# -------------------------------\necho \"[!] Recommended browser steps:\"\necho \"  - Firefox: uBlock Origin + HTTPS-Only Mode + Arkenfox user.js\"\necho \"  - Chromium: uBlock Origin, disable remote debugging, avoid unknown extensions\"\necho \"  - Avoid running random scripts from unknown websites\"\necho\n\n# -------------------------------\n# 6. SSH hardening (if used)\n# -------------------------------\nSSH_CONFIG=\"\/etc\/ssh\/sshd_config\"\nif systemctl is-active --quiet sshd; then\n    echo \"[!] Hardening SSH...\"\n    sed -i 's\/^#PasswordAuthentication yes\/PasswordAuthentication no\/' $SSH_CONFIG\n    sed -i 's\/^#PermitRootLogin yes\/PermitRootLogin no\/' $SSH_CONFIG\n    systemctl restart sshd\n    echo \"  - SSH now key-only and root login disabled\"\nfi\n\n# -------------------------------\n# 7. Optional systemd sandboxing example\n# -------------------------------\necho \"[!] Example sandboxing:\"\necho \"  systemd-run --user --property=PrivateNetwork=yes --property=ProtectHome=yes <app>\"\n\n# -------------------------------\n# 8. Cleanup\n# -------------------------------\necho \"[*] Cleanup complete. Review browser, AUR, and manual steps.\"\necho \"[*] Security hardening finished!\"\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
Manual Checklist for CachyOS<\/strong><\/h3>\n\n\n\n
    \n
  1. Firewall:<\/strong> Enabled (UFW) with default deny incoming.<\/li>\n\n\n\n
  2. Services:<\/strong> Disable Bluetooth, CUPS, Avahi, SSH (unless used).<\/li>\n\n\n\n
  3. AppArmor:<\/strong> Enabled for extra sandboxing.<\/li>\n\n\n\n
  4. Browser:<\/strong>\n