The real key to security is YOU being mindful.
-
Limit AUR usage to "known"
-
Common security practices
- Firewall
- Adblocking
- Sysctl conf
-
Additionals
- selinux
- apparmor
- firejail
- fail2ban
- bubblewrap
- flatseal
Strong Passwords & Usernames
Usernames/Hostnames: Avoid admin, user, root - use something descriptive unrelated to your identity.
Hostname has to be RFC-compliant for DNS (strict):
Only: a-z, 0-9, - (hyphen)
Usernames are more flexible:
Start with: a-z or _
Followed by: a-z, 0-9, _, -
Max 31 characters
Can contain $ at the end (but breaks certain build scripts.)
Passwords: Mixed case/numbers/symbols, or pw managers
Root: Strong separate password, different from user accounts
Root account can optionally be locked in the TUI.
Ex: sybling using the same system as you can set a user to have access to the same apps yet no terminal. In the menu you can simply create the user without sudo access.
useradd -m -s /bin/rbash guestname
Or with a password
useradd -m -s /bin/rbash guestname
passwd guestname
Releases files are signed and can be verified with: gpg --verify archinstoo-*.pkg.tar.zst.sig