System · Security
Hardening
MEKAT applies defense-in-depth hardening by default — SELinux enforcing, kernel sysctl, LUKS2/TPM2, firewall zones, and audit rules.
Applied automatically — Re-apply manually :
sudo bash /usr/lib/mekat/scripts/apply-hardening.shSELinux
getenforce → Enforcing
sestatus
ausearch -m avc -ts recent | audit2why
Kernel Hardening (sysctl)
# Memory
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.randomize_va_space = 2
# Network
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
# Filesystem
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
LUKS2 + TPM2
sudo systemd-cryptenroll --tpm2-device=auto /dev/sda2
sudo systemd-cryptenroll /dev/sda2
0 password · 1 tpm2
Firewall Zones
Base / Gaming / Developer → public
Enterprise → work
Security → drop
firewall-cmd --get-active-zones