🢀︎ archlinux :: 7f7e55c


commit 7f7e55c6e50901a3030c884b2bb2f6b2b5653a6f
Author: acidvegas <acid.vegas@acid.vegas>
Date:   Mon Jul 22 05:11:54 2019 -0400

    updated security notes

diff --git a/scripts/root.sh b/scripts/root.sh
index 8a4e87e..05edd89 100644
--- a/scripts/root.sh
+++ b/scripts/root.sh
@@ -63,6 +63,8 @@ sed -i '/#auth		required	pam_wheel.so use_uid/s/^#//g' /etc/pam.d/su-l
 echo -e "resolvconf=NO" > /etc/resolvconf.conf
 echo -e "Defaults lecture = always\nDefaults lecture_file = /etc/sudoers.d/sudoers.lecture\nroot ALL=(ALL) ALL\n%wheel ALL=(ALL) ALL" > /etc/sudoers
 echo "kernel.core_pattern=|/bin/false" > /etc/sysctl.d/50-coredump.conf
+echo "kernel.dmesg_restrict = 1" > /etc/sysctl.d/50-dmesg-restrict.conf
+echo "kernel.kptr_restrict = 1" > /etc/sysctl.d/50-kptr-restrict.conf
 echo -e "[Journal]\nStorage=volatile\nSeal=no\nSplitMode=none\nRuntimeMaxUse=500K" > /etc/systemd/journald.conf
 echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1" > /etc/resolv.conf && chattr +i /etc/resolv.conf # add alternate dns servers
 echo -e "[Service]\nSupplementaryGroups=proc" > /etc/systemd/system/systemd-logind.service.d/hidepid.conf
@@ -76,9 +78,17 @@ systemctl enable slock@acidvegas.service
 
 echo "[!] - Reboot before proceeding any further..."
 
+#nano /etc/pam.d/passwd
+#	#%PAM-1.0
+#	password required pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
+#	password required pam_unix.so use_authtok sha512 shadow
+
 #nano /etc/pam.d/system-login
-#auth optional pam_faildelay.so delay=4000000
+#	auth optional pam_faildelay.so delay=4000000
 
+#nano /etc/pam.d/system-login
+#	auth required pam_tally2.so deny=3 unlock_time=600 onerr=succeed file=/var/log/tallylog
+#note: use `pam_tally2 --reset --user username` to reset
 
 #nano /etc/default/grub
 #	GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_priority=3 vga=current vt.global_cursor_default=0"
@@ -87,7 +97,7 @@ echo "[!] - Reboot before proceeding any further..."
 #echo "setterm -cursor on" > /etc/issue
 #echo "kernel.printk = 3 3 3 3" > /etc/sysctl.d/20-quiet-printk.conf
 
-# nano /etc/mkinitcpio.conf
+#nano /etc/mkinitcpio.conf
 #	HOOKS=(...) Remove fsck
 #nano /usr/lib/systemd/system/systemd-fsck*.service
 #	StandardOutput=null