(A) Buffer Overflow Prevention
Make sure "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI has been enabled. Then run the following command :
sudo dmesg | grep --color '[NX|XD]*protection'[ 0.000000] NX (Execute Disable) protection: active
If you see the captioned output or similar, you have set it right.
(B) Kernel Hardening and Tuning
Copy the content to the file "60-croissants.conf" :
sudo nano /etc/sysctl.d/60-croissants.conf
sudo sysctl -p /etc/sysctl.d/60-croissants.confThe configure file would hardening the kernel with parameters which is including ASLR.
(C) Firefox Hardening (For Desktop Only)
sudo apt install apparmor-utils
sudo aa-enforce /etc/apparmor.d/usr.bin.firefoxTo change to complain mode :
sudo aa-complain /etc/apparmor.d/usr.bin.firefoxAppend "scsi_mod.use_blk_mq=1" to "GRUB_CMDLINE_LINUX_DEFAULT" :
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash scsi_mod.use_blk_mq=1"sudo update-grubThen reboot the box.
(E) File System Tuning
Insert "noatime,nodiratime,norelatime," to the "/dev/mapper/ubuntu--vg-root" :
/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1sudo mount -a
sudo mount -o remount /Make sure there is no error displayed. If you find there is an error, do not reboot the box until you have fix what you have edited. Otherwise, you cannot reboot the box properly.
That's all! See you.