From e409109b5c6365723b0aef108a9524b70e83ae47 Mon Sep 17 00:00:00 2001
From: Hau Nguyen <hauvipapro@gmail.com>
Date: Sun, 4 Aug 2024 03:30:18 +0700
Subject: [PATCH] sec and perf for archlinux

---
 docs/2022-12-25-archlinux.html    | 179 ++++++++++++++++++++++++------
 docs/2023-06-25-useful-tools.html |  26 +++++
 posts/2022-12-25-archlinux.md     |  94 ++++++++++++----
 posts/2023-06-25-useful-tools.md  |  10 ++
 4 files changed, 258 insertions(+), 51 deletions(-)

diff --git a/docs/2022-12-25-archlinux.html b/docs/2022-12-25-archlinux.html
index e88c937..8232c53 100644
--- a/docs/2022-12-25-archlinux.html
+++ b/docs/2022-12-25-archlinux.html
@@ -415,11 +415,13 @@ <h4 class="heading-element">Initramfs</h4>
     </div>
     <p>Edit <code>/etc/mkinitcpio.conf</code>:</p>
     <div class="highlight highlight-text-adblock">
-      <pre><span class="pl-c"># LVM (optional)</span>
-<span class="pl-c"># https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks</span>
-<span class="pl-c"># https://wiki.archlinux.org/title/mkinitcpio#Common_hooks</span>
+      <pre><span class="pl-c"># https://wiki.archlinux.org/title/mkinitcpio#Common_hooks</span>
 <span class="pl-c"># Replace udev with systemd</span>
+<span class="pl-c">#</span>
+<span class="pl-c"># LVM (optional)</span>
+<span class="pl-c"># https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks</span>
 <span class="pl-c"># Add lvm2 between block and filesystems</span>
+<span class="pl-c">#</span>
 HOOKS=(base systemd ... block lvm2 filesystems)</pre>
     </div>
     <div class="highlight highlight-source-shell"><pre>mkinitcpio -P</pre></div>
@@ -457,6 +459,15 @@ <h4 class="heading-element">
     <div class="highlight highlight-text-adblock">
       <pre>[<span class="pl-ii">device</span>]
 wifi.backend=iwd</pre>
+    </div>
+    <p>Edit <code>/etc/NetworkManager/conf.d/wifi_rand_mac.conf</code>:</p>
+    <div class="highlight highlight-text-adblock">
+      <pre>[<span class="pl-ii">device-mac-randomization</span>]
+wifi.scan-rand-mac-address=yes
+ 
+[<span class="pl-ii">connection-mac-randomization</span>]
+ethernet.cloned-mac-address=stable
+wifi.cloned-mac-address=stable</pre>
     </div>
     <div class="markdown-heading">
       <h4 class="heading-element">
@@ -559,7 +570,8 @@ <h4 class="heading-element">Boot loader</h4>
 <span class="pl-c"># NVIDIA</span>
 <span class="pl-c"># https://wiki.archlinux.org/title/NVIDIA#DRM_kernel_mode_setting</span>
 <span class="pl-c"># nvidia-drm.modeset=1</span>
-options root="LABEL=ROOT" rw</pre>
+<span class="pl-c">#</span>
+options root="LABEL=ROOT" rw quiet loglevel=3 nowatchdog module_blacklist=iTCO_wdt,sp5100_tco ipv6.disable=1 init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1</pre>
     </div>
     <div class="markdown-heading">
       <h2 class="heading-element">
@@ -652,43 +664,36 @@ <h3 class="heading-element">Desktop Environment</h3>
       >:
     </p>
     <div class="highlight highlight-source-shell">
-      <pre>pacman -Syu xorg-server</pre>
+      <pre>pacman -Syu xorg-server
+
+<span class="pl-c"><span class="pl-c">#</span> Remember to install GPU driver</span></pre>
     </div>
     <div class="markdown-heading">
       <h4 class="heading-element">
-        <a href="https://wiki.archlinux.org/index.php/GNOME" rel="nofollow"
-          >GNOME</a
-        >
+        <a href="https://wiki.archlinux.org/title/KDE" rel="nofollow">KDE</a>
       </h4>
       <a
-        id="user-content-gnome"
+        id="user-content-kde"
         class="anchor"
-        aria-label="Permalink: GNOME"
-        href="#gnome"
+        aria-label="Permalink: KDE"
+        href="#kde"
         ><span aria-hidden="true" class="octicon octicon-link"></span
       ></a>
     </div>
+    <p>
+      See
+      <a
+        href="https://community.kde.org/Distributions/Packaging_Recommendations"
+        rel="nofollow"
+        >KDE Distributions/Packaging Recommendations</a
+      >
+    </p>
     <div class="highlight highlight-source-shell">
-      <pre>pacman -Syu gnome-shell \
-	gnome-control-center gnome-system-monitor power-profiles-daemon \
-	gnome-tweaks gnome-backgrounds gnome-firmware \
-	nautilus xdg-user-dirs-gtk xdg-desktop-portal \
-	gnome-console gnome-text-editor loupe evince
+      <pre>pacman -Syu plasma-desktop
 
 <span class="pl-c"><span class="pl-c">#</span> Login manager</span>
-pacman -Syu gdm
-systemctl <span class="pl-c1">enable</span> gdm.service</pre>
+pacman -Syu sddm</pre>
     </div>
-    <p>Quirks:</p>
-    <ul>
-      <li>
-        Fix black screen when open game in fullscreen in external monitor with
-        <a
-          href="https://github.com/kazysmaster/gnome-shell-extension-disable-unredirect"
-          >kazysmaster/gnome-shell-extension-disable-unredirect</a
-        >
-      </li>
-    </ul>
     <div class="markdown-heading">
       <h2 class="heading-element">
         <a
@@ -822,6 +827,13 @@ <h2 class="heading-element">
           >https://wiki.archlinux.org/index.php/Core_dump#Disabling_automatic_core_dumps</a
         >
       </li>
+      <li>
+        <a
+          href="https://wiki.archlinux.org/title/Ext4#Enabling_fast_commit_in_existing_filesystems"
+          rel="nofollow"
+          >https://wiki.archlinux.org/title/Ext4#Enabling_fast_commit_in_existing_filesystems</a
+        >
+      </li>
       <li>
         <a
           href="https://wiki.archlinux.org/index.php/Solid_state_drive#Periodic_TRIM"
@@ -844,16 +856,100 @@ <h2 class="heading-element">
         >
       </li>
       <li>
-        <a href="https://wiki.archlinux.org/title/sysctl" rel="nofollow"
-          >https://wiki.archlinux.org/title/sysctl</a
+        <a
+          href="https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open"
+          rel="nofollow"
+          >https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open</a
+        >
+      </li>
+      <li>
+        <a href="https://lwn.net/Articles/842385/" rel="nofollow"
+          >Fast commits for ext4</a
+        >
+      </li>
+      <li>
+        <a href="https://lwn.net/Articles/508865/" rel="nofollow"
+          >TCP Fast Open: expediting web services</a
+        >
+      </li>
+      <li>
+        <a href="https://lwn.net/Articles/911219/" rel="nofollow"
+          >The search for the correct amount of split-lock misery</a
         >
       </li>
     </ul>
-    <p><code>/etc/sysctl.d/99-sysctl.conf</code>:</p>
+    <p>
+      Edit <code>/etc/systemd/journald.conf.d/00-journal-size.conf</code> then
+      restart:
+    </p>
+    <div class="highlight highlight-text-adblock">
+      <pre>[<span class="pl-ii">Journal</span>]
+SystemMaxUse=50M</pre>
+    </div>
+    <p>
+      Edit <code>/etc/systemd/coredump.conf.d/custom.conf</code> then restart:
+    </p>
+    <div class="highlight highlight-text-adblock">
+      <pre>[<span class="pl-ii">Coredump</span>]
+Storage=none
+ProcessSizeMax=0</pre>
+    </div>
+    <p>Enable ext4 fast commit:</p>
+    <div class="highlight highlight-source-shell">
+      <pre>tune2fs -O fast_commit /dev/partition</pre>
+    </div>
+    <p>Periodic TRIM:</p>
+    <div class="highlight highlight-source-shell">
+      <pre>systemctl <span class="pl-c1">enable</span> fstrim.timer</pre>
+    </div>
+    <p>Edit <code>/etc/sysctl.d/99-sysctl.conf</code>:</p>
     <div class="highlight highlight-text-adblock">
-      <pre><span class="pl-c"># https://lwn.net/Articles/911219/</span>
+      <pre><span class="pl-c"># Enable TCP Fast Open</span>
+net.ipv4.tcp_fastopen = 3
+
 kernel.split_lock_mitigate = 0</pre>
     </div>
+    <div class="markdown-heading">
+      <h2 class="heading-element">
+        <a href="https://wiki.archlinux.org/title/Security" rel="nofollow"
+          >Security</a
+        >
+      </h2>
+      <a
+        id="user-content-security"
+        class="anchor"
+        aria-label="Permalink: Security"
+        href="#security"
+        ><span aria-hidden="true" class="octicon octicon-link"></span
+      ></a>
+    </div>
+    <ul>
+      <li>
+        <a
+          href="https://wiki.archlinux.org/title/IPv6#Disable_IPv6"
+          rel="nofollow"
+          >https://wiki.archlinux.org/title/IPv6#Disable_IPv6</a
+        >
+      </li>
+      <li>
+        <a href="https://lwn.net/Articles/791380/" rel="nofollow"
+          >add init_on_alloc/init_on_free boot options</a
+        >
+      </li>
+      <li>
+        <a href="https://lwn.net/Articles/776228/" rel="nofollow"
+          >mm: Randomize free memory</a
+        >
+      </li>
+      <li>
+        <a href="https://lwn.net/Articles/925941/" rel="nofollow"
+          >mm: introduce Designated Movable Blocks</a
+        >
+      </li>
+    </ul>
+    <div class="highlight highlight-source-shell">
+      <pre><span class="pl-c"><span class="pl-c">#</span> Kernel parameters</span></pre>
+    </div>
     <div class="markdown-heading">
       <h2 class="heading-element">Hardware dependent</h2>
       <a
@@ -893,6 +989,13 @@ <h2 class="heading-element">Experiment</h2>
     </div>
     <p>Do it at your own risk!!!</p>
     <ul>
+      <li>
+        <a
+          href="https://wiki.archlinux.org/title/Unified_kernel_image"
+          rel="nofollow"
+          >https://wiki.archlinux.org/title/Unified_kernel_image</a
+        >
+      </li>
       <li>
         <a
           href="https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave"
@@ -900,6 +1003,18 @@ <h2 class="heading-element">Experiment</h2>
           >https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave</a
         >
       </li>
+      <li>
+        <a
+          href="https://madaidans-insecurities.github.io/guides/linux-hardening.html"
+          rel="nofollow"
+          >Linux Hardening Guide</a
+        >
+      </li>
+      <li>
+        <a href="https://github.com/GrapheneOS/hardened_malloc"
+          >https://github.com/GrapheneOS/hardened_malloc</a
+        >
+      </li>
       <li>
         <a href="https://github.com/AdnanHodzic/auto-cpufreq"
           >https://github.com/AdnanHodzic/auto-cpufreq</a
diff --git a/docs/2023-06-25-useful-tools.html b/docs/2023-06-25-useful-tools.html
index 762e992..c4c3ba5 100644
--- a/docs/2023-06-25-useful-tools.html
+++ b/docs/2023-06-25-useful-tools.html
@@ -1182,6 +1182,13 @@ <h3 class="heading-element">macOS</h3>
 defaults -currentHost write -globalDomain NSStatusItemSpacing -int 6</pre
       >
     </div>
+    <p>Disable IPv6:</p>
+    <div class="highlight highlight-source-shell">
+      <pre>
+sudo networksetup -listallnetworkservices
+sudo networksetup -setv6off Wi-Fi</pre
+      >
+    </div>
     <p>Clean up leftover data:</p>
     <ul>
       <li>
@@ -1246,6 +1253,13 @@ <h3 class="heading-element">macOS</h3>
           </li>
         </ul>
       </li>
+      <li>
+        <a
+          href="https://appletoolbox.com/macos-how-to-disable-ipv6/"
+          rel="nofollow"
+          >macOS: How to Disable IPv6</a
+        >
+      </li>
       <li>
         <a
           href="https://gist.github.com/timotgl/f3d8c49ad582ec1af8ff01143465e116"
@@ -1253,6 +1267,18 @@ <h3 class="heading-element">macOS</h3>
           line</a
         >
       </li>
+      <li>
+        <a href="https://www.bejarano.io/hardening-macos/" rel="nofollow"
+          >Hardening macOS</a
+        >
+        <ul>
+          <li>
+            <a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide"
+              >https://github.com/drduh/macOS-Security-and-Privacy-Guide</a
+            >
+          </li>
+        </ul>
+      </li>
     </ul>
     <div class="markdown-heading">
       <h3 class="heading-element">Firefox</h3>
diff --git a/posts/2022-12-25-archlinux.md b/posts/2022-12-25-archlinux.md
index 8fc2dfd..f87c5b1 100644
--- a/posts/2022-12-25-archlinux.md
+++ b/posts/2022-12-25-archlinux.md
@@ -192,11 +192,13 @@ myhostname
 Edit `/etc/mkinitcpio.conf`:
 
 ```txt
-# LVM (optional)
-# https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks
 # https://wiki.archlinux.org/title/mkinitcpio#Common_hooks
 # Replace udev with systemd
+#
+# LVM (optional)
+# https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks
 # Add lvm2 between block and filesystems
+#
 HOOKS=(base systemd ... block lvm2 filesystems)
 ```
 
@@ -225,6 +227,17 @@ Edit `/etc/NetworkManager/conf.d/wifi_backend.conf`:
 wifi.backend=iwd
 ```
 
+Edit `/etc/NetworkManager/conf.d/wifi_rand_mac.conf`:
+
+```txt
+[device-mac-randomization]
+wifi.scan-rand-mac-address=yes
+ 
+[connection-mac-randomization]
+ethernet.cloned-mac-address=stable
+wifi.cloned-mac-address=stable
+```
+
 #### [Bluetooth](https://wiki.archlinux.org/title/Bluetooth)
 
 ```sh
@@ -288,7 +301,8 @@ initrd /initramfs-linux.img
 # NVIDIA
 # https://wiki.archlinux.org/title/NVIDIA#DRM_kernel_mode_setting
 # nvidia-drm.modeset=1
-options root="LABEL=ROOT" rw
+#
+options root="LABEL=ROOT" rw quiet loglevel=3 nowatchdog module_blacklist=iTCO_wdt,sp5100_tco ipv6.disable=1 init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1
 ```
 
 ## [General recommendations](https://wiki.archlinux.org/index.php/General_recommendations)
@@ -336,27 +350,22 @@ Install [Xorg](https://wiki.archlinux.org/index.php/Xorg):
 
 ```sh
 pacman -Syu xorg-server
+
+# Remember to install GPU driver
 ```
 
-#### [GNOME](https://wiki.archlinux.org/index.php/GNOME)
+#### [KDE](https://wiki.archlinux.org/title/KDE)
+
+See
+[KDE Distributions/Packaging Recommendations](https://community.kde.org/Distributions/Packaging_Recommendations)
 
 ```sh
-pacman -Syu gnome-shell \
-	gnome-control-center gnome-system-monitor power-profiles-daemon \
-	gnome-tweaks gnome-backgrounds gnome-firmware \
-	nautilus xdg-user-dirs-gtk xdg-desktop-portal \
-	gnome-console gnome-text-editor loupe evince
+pacman -Syu plasma-desktop
 
 # Login manager
-pacman -Syu gdm
-systemctl enable gdm.service
+pacman -Syu sddm
 ```
 
-Quirks:
-
-- Fix black screen when open game in fullscreen in external monitor with
-  [kazysmaster/gnome-shell-extension-disable-unredirect](https://github.com/kazysmaster/gnome-shell-extension-disable-unredirect)
-
 ## [List of applications](https://wiki.archlinux.org/index.php/List_of_applications)
 
 ### [pacman](https://wiki.archlinux.org/index.php/pacman)
@@ -400,18 +409,62 @@ pacman -Syu flatpak
 - https://wiki.archlinux.org/index.php/swap#Swappiness
 - https://wiki.archlinux.org/index.php/Systemd/Journal#Journal_size_limit
 - https://wiki.archlinux.org/index.php/Core_dump#Disabling_automatic_core_dumps
+- https://wiki.archlinux.org/title/Ext4#Enabling_fast_commit_in_existing_filesystems
 - https://wiki.archlinux.org/index.php/Solid_state_drive#Periodic_TRIM
 - https://wiki.archlinux.org/index.php/Silent_boot
 - https://wiki.archlinux.org/title/Improving_performance#Watchdogs
-- https://wiki.archlinux.org/title/sysctl
+- https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open
+- [Fast commits for ext4](https://lwn.net/Articles/842385/)
+- [TCP Fast Open: expediting web services](https://lwn.net/Articles/508865/)
+- [The search for the correct amount of split-lock misery](https://lwn.net/Articles/911219/)
+
+Edit `/etc/systemd/journald.conf.d/00-journal-size.conf` then restart:
+
+```txt
+[Journal]
+SystemMaxUse=50M
+```
 
-`/etc/sysctl.d/99-sysctl.conf`:
+Edit `/etc/systemd/coredump.conf.d/custom.conf` then restart:
 
 ```txt
-# https://lwn.net/Articles/911219/
+[Coredump]
+Storage=none
+ProcessSizeMax=0
+```
+
+Enable ext4 fast commit:
+
+```sh
+tune2fs -O fast_commit /dev/partition
+```
+
+Periodic TRIM:
+
+```sh
+systemctl enable fstrim.timer
+```
+
+Edit `/etc/sysctl.d/99-sysctl.conf`:
+
+```txt
+# Enable TCP Fast Open
+net.ipv4.tcp_fastopen = 3
+
 kernel.split_lock_mitigate = 0
 ```
 
+## [Security](https://wiki.archlinux.org/title/Security)
+
+- https://wiki.archlinux.org/title/IPv6#Disable_IPv6
+- [add init_on_alloc/init_on_free boot options](https://lwn.net/Articles/791380/)
+- [mm: Randomize free memory](https://lwn.net/Articles/776228/)
+- [mm: introduce Designated Movable Blocks](https://lwn.net/Articles/925941/)
+
+```sh
+# Kernel parameters
+```
+
 ## Hardware dependent
 
 - https://wiki.archlinux.org/title/Laptop
@@ -422,7 +475,10 @@ kernel.split_lock_mitigate = 0
 
 Do it at your own risk!!!
 
+- https://wiki.archlinux.org/title/Unified_kernel_image
 - https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave
+- [Linux Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)
+- https://github.com/GrapheneOS/hardened_malloc
 - https://github.com/AdnanHodzic/auto-cpufreq
 - https://github.com/nbfc-linux/nbfc-linux
 
diff --git a/posts/2023-06-25-useful-tools.md b/posts/2023-06-25-useful-tools.md
index dede897..5ffeb9f 100644
--- a/posts/2023-06-25-useful-tools.md
+++ b/posts/2023-06-25-useful-tools.md
@@ -303,6 +303,13 @@ defaults -currentHost write -globalDomain NSStatusItemSelectionPadding -int 6
 defaults -currentHost write -globalDomain NSStatusItemSpacing -int 6
 ```
 
+Disable IPv6:
+
+```sh
+sudo networksetup -listallnetworkservices
+sudo networksetup -setv6off Wi-Fi
+```
+
 Clean up leftover data:
 
 - `~/Library/Application Support`
@@ -333,7 +340,10 @@ Thanks:
 - [Can Touch ID on Mac authenticate sudo in Terminal?](https://apple.stackexchange.com/a/466029)
 - [Native fix for applications hiding under the MacBook Pro notch](https://flaky.build/native-fix-for-applications-hiding-under-the-macbook-pro-notch)
   - [Can the spacing of menu bar apps be modified in macOS Big Sur and later?](https://apple.stackexchange.com/q/406316)
+- [macOS: How to Disable IPv6](https://appletoolbox.com/macos-how-to-disable-ipv6/)
 - [How to fully uninstall Logitech G HUB on macOS via terminal/command line](https://gist.github.com/timotgl/f3d8c49ad582ec1af8ff01143465e116)
+- [Hardening macOS](https://www.bejarano.io/hardening-macos/)
+  - https://github.com/drduh/macOS-Security-and-Privacy-Guide
 
 ### Firefox