Arch Linux Hardening Help

I’m currently running Manjaro, and am wanting to just jump full-ship into Arch Linux. I’ve used Arch Linux before, but wanted to see if Manjaro was worthwhile (before I had read it was not recommended by PG).

Before jumping back into it, I’m doing research in hardening the system, and want feedback from the community. My threat model for security is mainly preventing stolen data from physical theft (avoiding basic attacks on said stole drives), and to secure typical day-to-day tasks on the system (web browsing, being on random wifi networks, software development). I’d generally prefer usability over more intense security practices, so long as the base-line setup is reasonably secure.

I was reading the steps outlined by PG here: Hardening Your Desktop Linux System's Security - Privacy Guides

As well as the general Arch Linux Wiki entry here: Security - ArchWiki

Here is my current action plan from a base setup:

1. Computer is dual booted with Windows, and Windows is only used for application specific purposes. Linux will be used for the rest.
2. Kernel: Install the linux-hardened package + LKRG module and call it a day?
3. DE: I’ll be installing Sway as the DE. I am acknowledging as usability to security tradeoff here. This is a big reason I want to move back to Arch.
4. Users: For simplicity, I’ll likely keep my main login as a sudoer user, but never really login as root. Also wondering if I should just disable su as a command entirely. As for changing the default mask to 077, as recommended by PG, would this cause random issues and unexpected permission issues during daily usage?
5. Memory: Not sure if Hardened Malloc is worth setting up, or if it’ll break a large number of applications.
6. File System: I’d like to use Btrf + disk encryption. I can’t determine if LUKS or VeraCrypt would be better. The PG guide doesn’t really offer much comparison between the two, and it seems VeraCrypt. This also goes back into which may be better for a dual booted setup.
7. Network: use nftables for firewall, but do I need to do much outside of enabling it if I don’t plan on running services from my laptop?
8. MAC: Install AppArmor. For this, I really just want a “default” installation with the general recommended profiles. I’m assuming a basic install and enabling the service will accomplish this?
9. I’d like to setup partitions for my laptop such that if I want to install a different Distro, my /home is on a dedicated partition, so I don’t need to wipe my data every re-install. Are there any challenges that may come from this.

Aside from that, anything I may have glanced over or missed?

For hardened malloc, it comes with Brace which Tad just told me about. I think only Electron apps break, but there are alternatives to using most of them

github.com/secureblue/secureblue/blob/live/POSTINSTALL-README.md
If you put this link in the Wayback Machine, you’ll find another guide that may be of interest! Secureblue aims to maintain usability, so you should be fine with these steps. However, this guide was taken down recently (I would suspect because of the addition of the secureblue website), so there may be outdated info or something.

Your third link is broken. As for Electron breaking, I think I’d consider that a feature, and would push me to use browser based versions of them.

Regarding Brace, it seems interesting, but I’m not sure what the description means:

Brace is a toolkit compatible with multiple existing Linux distributions that allows for a rapid installation of handpicked applications, along with corresponding configurations that have been fine-tuned for reasonable privacy and security.

A toolkit for installing applications with configurations sounds like a package manager, but I’m not sure if I’m understanding it correctly. @SkewedZeppelin wanted to ping you to learn more about Brace, and what the goal of Brace + irejail, fapolicyd, real-ucode, and my hardened_malloc package (which now supports buffer overflow checks), so I can determine if it fits my use case.

I edited the previous post so you can view the secureblue guide, thanks for letting me know

In my experience (and memory considering I haven’t ran it in a while), Brace is a cool tool and not a package manager. Rapid installation means that when you run Brace, it asks you if you want to install stuff like Tor Browser. If you say yes, it does so instantly through your distro’s package manager, and sometimes adds some configurations. It also asks you if you want to use some security things, and if you say yes, it quickly turns them on.

I’ll put this as one of the first things I install, and see how it goes.

All - I don’t mind links and am happy to triage more against my current understanding, but I’m really looking for a discussion. If you post a link it would be nice to add context.