You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<p>The <ahref="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a> from <ahref="https://grapheneos.org/">GrapheneOS</a> can be used on Linux distributions. It is available by default on Whonix and is available as an <ahref="https://wiki.archlinux.org/title/Security#Hardened_malloc">AUR package</a> on Arch based distributions. If you are using the AUR package, consider setting up <code>LD_PRELOAD</code> as described in the <ahref="https://wiki.archlinux.org/title/Security#Hardened_malloc">Arch Wiki</a>.</p>
<h5>Umask</h5>
<p>Consider changing the default UMASK for both regular users and root to 077.</p>
<h5>Mountpoint hardening</h5>
Consider adding <code>nodev</code>, <code>noexec</code>, <code>nosuid</code> to mountpoints which do not need them. Typically, these could be applied to <code>/boot</code>, <code>/boot/efi</code>, <code>/home</code>, <code>/root</code>, <code>/var</code>.
If you use <ahref="https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/">Toolbox</a>, <code>/var/log/journal</code> must not have any of those options.
If you are on Arch Linux, do not apply <code>noexec</code> to <code>/var/tmp</code>.
<h5>USBGuard</h5>
<p>Consider following the <ahref="https://wiki.archlinux.org/title/USBGuard">Arch Wiki</a> to set up USBGuard.</p>
