Arch Linux: Essential Post-Install Configuration

Requirements

A base installation of Arch Linux. You can build your own by following this gist or this video, or you can download an OVF image generated in VMware Workstation 15 here (filename is 2020-08-25_arch-linux-base.ova).

Update package list and packages

pacman -Syu

Install and configure sudo

This step covers installing and configuring sudo, which is critical for system management as a non-root user.

First, install sudo:

pacman -S sudo

Next, run visudo using vim, which is the only editor installed on the example base system:

sudo EDITOR=/bin/vim visudo

Find the very end of the "Defaults" section of the file and add a new line to override the default text editor:

Defaults editor=/bin/vim

Find and uncomment the following line (remove # ) to allow users belonging to the wheel group to use sudo for any system command without needing to enter their password:

# %wheel ALL=(ALL) NOPASSWD: ALL

If ability to use sudo without a password makes you nervous, uncomment the line near this one that looks the same aside from NOPASSWD: .

After edits are complete, write and save the file (:wq in vim).

Create a non-root user for admin tasks

We rarely if ever want or need to use the root user, therefore the first user we create will also be the user we use for system configuration tasks. In this runbook, I'm using admin as the username; you should modify this username to suit your preferences.

First, create the user:

useradd -m admin

The -m in this command specifies that a home directory should be created

Next, set this user's password:

passwd admin

Finally, add this user to the wheel group so they can use sudo (-a appends specified groups, -G specifies groups:

usermod -aG wheel admin

The -aG in this command is actually a combination of two arguments:

  • -a: Append any specified groups to the user's current groups
  • -G: Update the user's groups to the group(s) specified (e.g.: group1,group2,group3) - by default the user's groups are overwritten unless -a is also specified

Reboot

The system update run earlier likely updated the kernel - we'll reboot to boot to the new initramfs image/kernel. Either of these commands are effective to prompt a reboot:

shutdown -r now
reboot

When the reboot is complete, log in as admin.

Verify non-root user's sudo ability

Before moving on, check that you are able to use sudo as your admin user - a simple test is launching a sudo shell as root:

sudo -i

If you don't get an error, you're all set. If you do get an error, you'll need to double check the visudo configuration and your admin user's groups.

Go ahead and stay in this sudo shell for the remaining steps in this runbook, as many of the commands to follow require elevated permissions.

Install and configure firewall

Arch Linux's base package includes iptables, which is a net filter/firewall in its own right - it's totally possible to configure iptables to do all the firewalling you would ever want it to do. That said, there are firewall management utilities available at this point that are a bit more convenient to use, and in this runbook, we'll be installing and configuring Uncomplicated Firewall.

First, install the ufw package:

pacman -S ufw

Next, ensure the iptables service is disabled, and enable/start the ufw service:

systemctl disable iptables
systemctl enable ufw
systemctl start ufw

Once ufw has started, we'll configure ufw to deny or reject inbound traffic by default (network traffic sourced from remote clients to this destination host):

ufw default deny

At this point we can enable ufw to enforce the default deny policy, and check its status:

ufw enable
ufw status

By default, ufw only seems to show rules entered by the user - because we haven't made any exceptions, output is a bit boring, indicating only that ufw is active. You can get a better idea of what traffic is allowed with the following command:

iptables -S|grep ACCEPT

Install additional preferred packages

While the above steps are truly essential, there are a handful packages I just can't live without:

  • man - Provides an interface to system manuals. Don't know what usermod does? Just man usermod and read up. It's super helpful, near necessary. Half the battle is knowing a utility exists to do a job, the other half is understanding or remembering that utility's usage and syntax...if you're like me, and lean heavily on reference material, you probably need man.
  • tmux - A virtual terminal emulator/multiplexer, similar to screen. It's very helpful if you'll only be interacting with the system via command line/tty sessions, as it supports creating and managing multiple windows/panes on a single screen. It's also handy when you need to run a process in the background and return to it later - you can open a tmux session, run a process, detach from the session, and the process will continue without interruption. You can reattach to the session at all time. If you've ever been disconnected from an SSH server during a long transfer or a system update, you'll understand the value.
  • tcpdump - Allows you to monitor packets flowing across your system's interfaces.
  • which - Returns the full path of the program/command passed as an argument.

To install these packages, just run:

pacman -S man tmux tcpdump which

If there are others packages you can't live without, add them to the command as well.

References

I used the following resources when building this runbook:

This runbook started as a gist on GitHub - view it here: https://gist.github.com/miliarch/4441e9547c7f3f0849084efc808c085e