OPSEC
Good OPSEC is about consistent practices and understanding your actual threat model, not just following checklists blindly.
Change Hostname
Check Current Hostname
hostname
hostnamectl statusCheck hostname configuration files
cat /etc/hostname
cat /etc/hostsChange current Hostname
sudo hostnamectl set-hostname laptopChange entries to match new hostname:
127.0.0.1 localhost
::1 localhost
127.0.1.1 laptop.localdomain laptopMAC Address and OUI Status
Check current MAC addresses
ip link showCheck if MAC randomization is active
nmcli device wifi list
nmcli connection show --activeCheck NetworkManager MAC randomization settings
cat /etc/NetworkManager/NetworkManager.conf | grep -A5 "\[device\]"Properly Configure MAC Address Randomization
Enable full MAC randomization in NetworkManager
sudo tee -a /etc/NetworkManager/NetworkManager.conf << EOF
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=\${CONNECTION}/\${BOOT}
EOFRestart NetworkManager
sudo systemctl restart NetworkManagerFor more aggressive randomization, change OUI as well
Install macchanger
sudo pacman -S macchangerCreate script to randomize MAC with random OUI
sudo tee /usr/local/bin/randomize-mac.sh << 'EOF'
#!/bin/bash
for interface in $(ip link show | grep -E '^[0-9]+:' | grep -v lo | cut -d: -f2 | tr -d ' '); do
if [[ $interface =~ ^(wlan|eth|enp) ]]; then
ip link set $interface down
macchanger -r $interface
ip link set $interface up
fi
done
EOFsudo chmod +x /usr/local/bin/randomize-mac.shAlternate Unique system identifier across VM
Check Machine ID
Check current machine ID
cat /etc/machine-id
cat /var/lib/dbus/machine-idCheck if they're linked (they should be)
ls -la /var/lib/dbus/machine-idGenerate new machine ID
Do this for each VM/system
sudo rm /etc/machine-id
sudo rm /var/lib/dbus/machine-id
sudo systemd-machine-id-setup
sudo ln -s /etc/machine-id /var/lib/dbus/machine-idEnsure each
VMhas uniquemachine-idbefore cloningConsider regenerating after cloning
VMs
DNS leaks via systemd-resolved
Check DNS Configuration and Leaks
Check systemd-resolved status
systemctl status systemd-resolved
resolvectl statusCheck DNS servers being used
cat /etc/resolv.conf
resolvectl dnsTest for DNS leaks
dig @1.1.1.1 whoami.cloudflare TXT +short
nslookup myip.opendns.com resolver1.opendns.comSecure DNS Configuration
Option 1: Use DNS over HTTPS with systemd-resolved
sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/dns-over-tls.conf << EOF
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=
EOF
# Restart services
sudo systemctl restart systemd-resolvedOption 2: Use Unbound for better control
sudo pacman -S unbound
sudo tee /etc/unbound/unbound.conf << 'EOF'
server:
interface: 127.0.0.1
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
prefetch: yes
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
EOF
sudo systemctl enable --now unbound
sudo systemctl disable --now systemd-resolvedUpdate resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.confSystem time revealing timezone/location
Check System Time and Timezone
Check current timezone and time
timedatectl status
dateCheck NTP synchronization
timedatectl show-timesync --allConfigure Proper Time Synchronization
Use multiple NTP servers and add random delay
sudo tee /etc/systemd/timesyncd.conf << EOF
[Time]
NTP=pool.ntp.org time.nist.gov time.cloudflare.com
PollIntervalMinSec=32
PollIntervalMaxSec=2048
ConnectionRetrySec=30
EOFCreate service to add random time skew
sudo tee /etc/systemd/system/time-skew.service << 'EOF'
[Unit]
Description=Add random time skew
Before=systemd-timesyncd.service
[Service]
Type=oneshot
ExecStart=/bin/bash -c 'sleep $((RANDOM % 30))'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOFEnable the time skew service
sudo systemctl enable time-skew.service
sudo systemctl restart systemd-timesyncdUse containerization to avoid Browser fingerprinting and correlation risks
Check Browser Configuration
Check Firefox profiles
ls ~/.mozilla/firefox/
cat ~/.mozilla/firefox/profiles.iniCheck if containers addon is installed
firefox -PSecure Browser Configuration
Install Firefox Multi-Account Containers
This should be done manually through Firefox Add-ons
Create hardened Firefox profile
firefox -CreateProfile "hardened"Configure hardened settings (create user.js in profile directory)
PROFILE_DIR=$(find ~/.mozilla/firefox -name "*.hardened" -type d)
tee "$PROFILE_DIR/user.js" << 'EOF'
// Privacy settings
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.referer.trimmingPolicy", 2);
// Disable WebRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.navigator.enabled", false);
// DNS over HTTPS
user_pref("network.trr.mode", 2);
user_pref("network.trr.uri", "https://cloudflare-dns.com/dns-query");
// Disable telemetry
user_pref("toolkit.telemetry.enabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);
EOFUse Separate VMs/Containers for Different Activities
Install and configure Firejail for application isolation
sudo pacman -S firejailSet up firejail for common applications
sudo firecfg Run Firefox in isolated environment
firejail --private --dns=1.1.1.1 --netfilter firefoxMonitor Your OPSEC Posture
Create monitoring script
tee ~/check-opsec.sh << 'EOF'
#!/bin/bash
echo "=== OPSEC Status Check ==="
echo "Hostname: $(hostname)"
echo "Machine ID: $(head -c 8 /etc/machine-id)..."
echo "DNS Servers: $(resolvectl dns | head -1)"
echo "Timezone: $(timedatectl | grep "Time zone")"
echo "MAC Addresses:"
ip link show | grep -E "link/ether" | awk '{print $2}'
EOFchmod +x ~/check-opsec.shLast updated