(A) Buffer Overflow Prevention
Make sure "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI has been enabled. Then run the following command :
sudo dmesg | grep --color '[NX|XD]*protection'
[ 0.000000] NX (Execute Disable) protection: active
If you see the captioned output or similar, you have set it right.
(B) Kernel Hardening and Tuning
Copy the content to the file "60-croissants.conf" :
sudo nano /etc/sysctl.d/60-croissants.conf
sudo sysctl -p /etc/sysctl.d/60-croissants.conf
The configure file would hardening the kernel with parameters which is including ASLR.
(C) Firefox Hardening (For Desktop Only)
sudo apt install apparmor-utils
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
To change to complain mode :
sudo aa-complain /etc/apparmor.d/usr.bin.firefox
Append "scsi_mod.use_blk_mq=1" to "GRUB_CMDLINE_LINUX_DEFAULT" :
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash scsi_mod.use_blk_mq=1"
Then reboot the box.
(E) File System Tuning
Insert "noatime,nodiratime,norelatime," to the "/dev/mapper/ubuntu--vg-root" :
/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1
sudo mount -a
sudo mount -o remount /
Make sure there is no error displayed. If you find there is an error, do not reboot the box until you have fix what you have edited. Otherwise, you cannot reboot the box properly.
That's all! See you.