There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`:
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
> Whilst booting up your system you may see sysctl complaining about ipv6 setting. [It's getting worked on](https://git.bijl.us/lnco/documentation/issues/30).
Musl's default memory allocator which comes with Alpine Linux is already pretty secure but not as secure as [hardened-malloc](https://github.com/GrapheneOS/hardened_malloc/):
```
# apk add hardened-malloc
```
Then to set it system wide edit `/etc/ld-musl-x86_64.path`:
There are a few changes that can be made to improve login protection.
Delays can be a deterent against bruteforcing login attempts. Simply add this line to it's corresponding section in `/etc/pam.d/login`:
```
auth optional pam_faildelay.so delay=5000000
```
Which will add a 5 second delay between login attempts.
The system can also enforce strong passwords with PAM with `libpwquality` which has to be installed first:
```
# apk add libpwquality
```
Then configure `/etc/pam.d/passwd`, you can configure it to your [liking](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam), but these settings should do: