Operating system hardening involves reducing the attack surface of your system while maximizing privacy controls. For developers and power users seeking extreme privacy, this means configuring kernel parameters, network settings, file permissions, and system services to minimize data leakage and prevent unauthorized access.
Why OS Hardening Matters for Privacy
Every operating system ships with defaults optimized for usability rather than security. These defaults often include telemetry services, network features that leak identifying information, and permissions that grant excessive access to applications. Hardening your OS closes these gaps.
The techniques in this guide apply primarily to Linux systems, which offer the most granular control. However, key principles transfer to macOS and Windows with appropriate modifications.
Linux Kernel Hardening with Sysctl
The Linux kernel exposes runtime configuration through sysctl. These settings control network behavior, memory protection, and process isolation.
Network Privacy Settings
Add these settings to /etc/sysctl.d/99-privacy.conf:
# Disable IP forwarding to prevent becoming a relay
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Disable source packet routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Apply changes with sudo sysctl --system. Verify settings with sysctl -a | grep -E "(ip_forward|accept_redirects|rp_filter)".
Memory Protection Settings
These settings harden memory management:
# Prevent kernel pointer leakage
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
# Restrict core dumps
kernel.core_pattern = |/bin/false
kernel.core_uses_pid = 0
# Disable unused memory debugging
kernel.yama.ptrace_scope = 2
The ptrace_scope setting restricts process debugging capabilities, preventing one process from inspecting another without permission. This blocks many malware families that use ptrace for credential theft.
Firewall Configuration with nftables
Linux firewalls have evolved from iptables to nftables. Here’s a privacy-focused base configuration:
#!/usr/sbin/nft -f
# Flush existing rules
flush ruleset
# Table for filtering
table inet filter {
# Drop all incoming by default
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow localhost
iif lo accept
# Allow SSH (change port if non-standard)
tcp dport 22 accept
# Allow ping
icmp type echo-request accept
}
# Drop all forwarding
chain forward {
type filter hook forward priority 0; policy drop;
}
# Drop all outgoing by default (strict policy)
chain output {
type filter hook output priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow DNS
udp dport 53 accept
tcp dport 53 accept
# Allow HTTPS
tcp dport 443 accept
# Allow NTP
udp dport 123 accept
}
}
This strict output policy blocks unexpected network connections. Whitelist only the ports your workflow requires. Audit with nft monitor to see connection attempts.
Service Hardening
Disable unnecessary services to reduce attack surface:
# List active services
systemctl list-units --type=service --state=running
# Mask unnecessary services
sudo systemctl mask bluetooth.service
sudo systemctl mask cups.service
sudo systemctl mask avahi-daemon.service
# Disable services permanently
sudo systemctl disable bluetooth
sudo systemctl disable cups
On server systems, review listening ports with ss -tulpn. Each open port represents potential information leakage or attack vector.
Application Sandboxing
Modern Linux desktops support sandboxing through several mechanisms:
Bubblewrap for User Containers
Bubblewrap creates lightweight namespaces without root privileges:
# Install bubblewrap
sudo apt install bubblewrap
# Run Firefox in a sandbox with minimal permissions
bwrap --die-with-parent \
--unshare-net \
--unshare-ipc \
--ro-bind /usr /usr \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--dev /dev \
--tmpfs /run \
--tmpfs /tmp \
--bind /home/user /home/user \
firefox
This runs Firefox without network namespace access (requires --unshare-net removed for actual browsing, but demonstrates isolation principles).
Flatpak Sandboxing
Flatpak applications run in isolated environments by default:
# Install Flatpak
sudo apt install flatpak
# Add Flathub repository
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
# Install an application with sandbox permissions
flatpak install flathub org.mozilla.firefox
# View sandbox permissions
flatpak info --show-permissions org.mozilla.firefox
Review permissions before granting additional access. The --socket=x11, --socket=wayland, and --device=dri permissions grant graphical access. Network access uses --socket=network.
File System Hardening
Configure file system mount options for additional protection:
# Add to /etc/fstab for /tmp
tmpfs /tmp tmpfs noexec,nosuid,nodev,size=2G 0 0
# Restrict /proc
proc /proc proc nosuid,noexec,nodev 0 0
# Remount / with nodev (if separate partition)
# Edit /etc/fstab and add nodev to mount options
The /tmp restrictions prevent execution of malicious binaries from temporary storage, a common attack vector.
macOS Hardening Essentials
For macOS users, several Terminal commands provide hardening:
# Disable Spotlight indexing of user directories
sudo mdutil -i off /Users
# Disable diagnostic reporting
sudo rm -rf /var/db/diagnostics/*
sudo rm -rf /var/db/logd/*
# Enable firewall with stealth mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Review System Settings > Privacy & Security to disable telemetry options. Disable “Share Mac Analytics” and location services for applications that don’t need them.
Windows Privacy Settings
Windows requires registry modifications for meaningful hardening:
# Disable telemetry via Group Policy (run as Administrator)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v TelemetryDataLevel /t REG_DWORD /d 0 /f
# Disable Cortana
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f
# Disable advertising ID
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
Use Windows Defender’s hardened configuration settings in the Security app. Enable “Folder Access Control” to block ransomware encryption attempts.
Maintenance and Verification
Hardening requires ongoing attention. Create a verification script:
#!/bin/bash
# verify-hardening.sh
echo "=== Network Settings ==="
sysctl net.ipv4.conf.all.rp_filter
sysctl net.ipv4.conf.all.accept_redirects
echo "=== Open Ports ==="
ss -tulpn | grep LISTEN
echo "=== Active Services ==="
systemctl list-units --type=service --state=running | wc -l
echo "=== Firewall Rules Count ==="
nft list ruleset | grep -c "hook"
Run this monthly to detect configuration drift. Subscribe to security mailing lists for your distribution to apply kernel and package updates promptly.
Related Articles
- How to Use Tails Operating System for Extreme Privacy Daily
- How to Use Live Operating System to Leave No Forensic Trace
- Google Analytics Tracking Alternatives That Respect User Pri
- Living Without Smartphone Digital Privacy Extreme Approach P
- Linux Desktop Privacy Hardening Guide
Built by theluckystrike — More at zovo.one