A collection of system hardening and generally-useful scripts for Linux systems. Targets Artix, works on any distro. Some inits require disabling the included boot parameter hardening, otherwise they won't boot (systemd)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

53 lines
2.3 KiB

GRUB_DEFAULT="0"
GRUB_TIMEOUT="3"
GRUB_DISTRIBUTOR="Artix"
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=eecec386-7bc4-4e30-bfba-e684e19818f7:luks-eecec386-7bc4-4e30-bfba-e684e19818f7 root=/dev/mapper/luks-eecec386-7bc4-4e30-bfba-e684e19818f7 l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force amd_iommu=on kernel.yama.ptrace_scope=2 lockdown=confidentiality slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality quiet loglevel=0 spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force apparmor=1 security=apparmor nousb"
GRUB_CMDLINE_LINUX="net.ifnames=0"
GRUB_EARLY_INITRD_LINUX_CUSTOM="amd-ucode.img"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT="5"
#GRUB_HIDDEN_TIMEOUT_QUIET="true"
# Uncomment to use basic console
GRUB_TERMINAL_INPUT="console"
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT="console"
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE="1680x1050x8"
GRUB_GFXMODE="1024x768,800x600"
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX="keep"
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID="true"
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY="true"
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
export GRUB_COLOR_NORMAL="light-blue/black"
export GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
GRUB_THEME="/usr/share/grub/themes/artix/theme.txt"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
GRUB_SAVEDEFAULT="true"
GRUB_DISABLE_LINUX_RECOVERY="true"
GRUB_ENABLE_CRYPTODISK=y