Skip to content

Instantly share code, notes, and snippets.

@umbernhard
umbernhard / arch-secure-install.md
Last active June 20, 2024 11:27
Building a Secure Arch Linux Device

Building a Secure Arch Linux Device

Locking down a linux machine is getting easier by the day. Recent advancements in systemd-boot have enabled a host of features to help users ensure that their machines have not been tampered with. This guide provides a walkthrough of how to turn on many of these features during installation, as well as reasoning for why certain features help improve security.

The steps laid out below draw on a wide variety of existing resources, and in places I'll point to them rather than attempt to regurgitate full explanations of the various security components. The most significant one, which I highly encourage everyone to read, is Rod Smith's site about secure boot, which is the most comprehensive and cogent explanation of UEFI, boot managers and boot loaders, and secure boot. Another incredibly useful resources is Safeboot, which encapsulates many of the setup steps below in a Debian application.

# Parser for MEDSL's precinct-level data.
# Matt Bernhard, May 2019
import csv
import sys
from collections import defaultdict
class AutoVivification(dict):
"""
Implementation of perl's autovivification feature.
@umbernhard
umbernhard / get_raw_scans.py
Created March 27, 2017 20:20
Pulls down compressed Censys historical scans for given protocols over a given period of time.
import requests
import sys
# Protocols to grab. The fully qualified names can be found here: https://censys.io/api/v1/data (feed into jq for readability)
protos = ["21-ftp-banner-full_ipv4",
"22-ssh-banner-full_ipv4",
"23-telnet-banner-full_ipv4",
"80-http-get-full_ipv4",
"443-https-ssl_2-full_ipv4",
"443-https-tls-full_ipv4",

Keybase proof

I hereby claim:

  • I am umbernhard on github.
  • I am umbernhard (https://keybase.io/umbernhard) on keybase.
  • I have a public key ASA_fQU9Q42H7UAI3Z83d645ypqk9kFvQhWWceuYbClXzwo

To claim this, I am signing this object: