There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`.
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time, so these settings should do for now.
> Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30).
This list is most likely still incomplete but should be good enough for now.
## Blacklisting modules
Work in progress.
## Linux-Hardened
Work in progress.
## Hardened Malloc (WIP)
The default memory allocator of Musl is already reasonably secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):
```
# apk add hardened-malloc
```
Then to set it system-wide edit `/etc/ld-musl-x86_64.path`:
```
/usr/lib/libhardened_malloc.so
/lib
/usr/lib
/usr/local/lib
```
The light variant of hardened-malloc may also be used instead of the default when problems with graphical applications occur.
```
/usr/lib/libhardened_malloc-light.so
```
## Entropy
Improve the security of the system by increasing the entropy. Install `jitterentropy-library`:
```
# apk add jitterentropy-library
```
and create a config file in `/etc/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
```
jitterentropy_rng
```
## PAM
There are a few changes that can be made to improve login protection.
First install PAM through `util-linux-login`:
```
# apk add util-linux-login
```
Delays can be a deterent against bruteforcing login attempts. Simply add the following to the line in `/etc/pam.d/login`:
```
auth optional pam_faildelay.so delay=5000000
```
which will add a 5 second delay between login attempts.
The system can also enforce a stronger hash algorithm for a more secure login protector. Edit the file `/etc/pam.d/base-password` and add the line:
> If an account has already been created then change your password so that it is also secure with: `passwd <username>`. When creating a password make sure that it is at least 8 characters long.