From e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 13:30:15 +1000
Subject: [PATCH 01/13] Typo

---
 etc/default/grub.d/40_kernel_hardening.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 33f98fc..b526ee7 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
-## The default implementation is FIneIBT as of Linux kernel 6.2.
+## The default implementation is FineIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
 ## FineIBT may result in some performance benefits as it only performs checking at destinations.

From 0b0683499a6a21e3995a115c377eb19008bc4cd1 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 13:30:39 +1000
Subject: [PATCH 02/13] Consistent line length formatting

---
 README.md | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 3c41728..500833c 100644
--- a/README.md
+++ b/README.md
@@ -305,13 +305,24 @@ See:
 
 ### Bluetooth Status: Enabled but Defaulted to Off
 
-- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, security-misc deviates from the usual behavior by starting with Bluetooth turned off at system start. This setting remains until the user explicitly opts to activate Bluetooth.
+- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel,
+  security-misc deviates from the usual behavior by starting with Bluetooth
+  turned off at system start. This setting remains until the user explicitly opts
+  to activate Bluetooth.
 
-- **User Control**: Users have the freedom to easily switch Bluetooth on and off in the usual way, exercising their own discretion. This can be done via the Bluetooth toggle through the usual way, that is either through GUI settings application or command line commands.
+- **User Control**: Users have the freedom to easily switch Bluetooth on and off
+  in the usual way, exercising their own discretion. This can be done via the
+  Bluetooth toggle through the usual way, that is either through GUI settings
+  application or command line commands.
 
-- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth connections. This includes the use of private addresses and strict timeout settings for discoverability and visibility.
+- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth
+  connections. This includes the use of private addresses and strict timeout
+  settings for discoverability and visibility.
 
-- **Security Considerations**: Despite these measures, it's important to note that Bluetooth technology, by its nature, may still be prone to exploits due to its history of security vulnerabilities. Thus, we recommend users to opt-out of using Bluetooth when possible.
+- **Security Considerations**: Despite these measures, it's important to note that
+  Bluetooth technology, by its nature, may still be prone to exploits due to its
+  history of security vulnerabilities. Thus, we recommend users to opt-out of
+  using Bluetooth when possible.
 
 ### Configuration Details
 
@@ -320,15 +331,25 @@ See:
 
 ### Understanding Bluetooth Terms
 
-- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, configured, or interacted with in any way.
+- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module.
+  When disabled, Bluetooth is non-existent in the system - it cannot be seen, set,
+  configured, or interacted with in any way.
 
-- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on Debian systems, Bluetooth is 'on' when the system boots up. It actively searches for known devices to auto-connect and may be discoverable or visible under certain conditions. Our default ensures that Bluetooth is off on startup. However, it remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol and has the necessary modules.
+- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on
+  Debian systems, Bluetooth is 'on' when the system boots up. It actively searches
+  for known devices to auto-connect and may be discoverable or visible under certain
+  conditions. Our default ensures that Bluetooth is off on startup. However, it
+  remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol
+  and has the necessary modules.
 
 ### Quick Toggle Guide
 
-- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings application or on the tray, and switch the toggle. It's a straightforward action that can be completed in less than a second.
+- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings
+  application or on the tray, and switch the toggle. It's a straightforward action
+  that can be completed in less than a second.
 
-- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch the toggle to the off position.
+- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch
+  the toggle to the off position.
 
 ## Entropy collection improvements
 

From d8bcec881f66604e29d6e0c1426635e2ad4979f1 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 13:33:32 +1000
Subject: [PATCH 03/13] Add some notices for future Debian 13 rebase

---
 etc/default/grub.d/40_kernel_hardening.cfg | 1 +
 usr/lib/sysctl.d/990-security-misc.conf    | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index b526ee7..b813b48 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -172,6 +172,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
 ##
+## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 0b46477..1194489 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -130,10 +130,12 @@ kernel.randomize_va_space=2
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
-## This is disabled by default when using Linux kernel >= 6.2.
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
+## TODO: Debian 13 Trixie
+## This is disabled by default when using Linux kernel >= 6.2.
+##
 dev.tty.legacy_tiocsti=0
 
 ## Disable asynchronous I/O for all processes.
@@ -146,6 +148,7 @@ dev.tty.legacy_tiocsti=0
 ## https://github.com/moby/moby/pull/46762
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
 ##
+## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
 ##
 kernel.io_uring_disabled=2

From 077bc48a26d1d3f5d1f758d7e251edccba64742b Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 13:35:33 +1000
Subject: [PATCH 04/13] Add reference on `rp_filter`

---
 usr/lib/sysctl.d/990-security-misc.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 1194489..800e626 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -275,6 +275,7 @@ net.ipv4.tcp_rfc1337=1
 ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
 ##
 ## https://en.wikipedia.org/wiki/IP_address_spoofing
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
 ## https://seclists.org/oss-sec/2019/q4/122
 ##

From 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 13:36:47 +1000
Subject: [PATCH 05/13] Add reference on RDRAND

---
 etc/default/grub.d/40_kernel_hardening.cfg | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index b813b48..8a90108 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -221,6 +221,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
 ##
 ## https://en.wikipedia.org/wiki/RDRAND#Reception
 ## https://systemd.io/RANDOM_SEEDS/
+## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
 ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
 ## https://x.com/pid_eins/status/1149649806056280069
 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html

From 3456f1c1d7725846ec201c28dd693bf9b07bab89 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 13:39:25 +1000
Subject: [PATCH 06/13] Minor consistency update in README.md

---
 README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 500833c..df451f4 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,8 @@ space, user space, core dumps, and swap space.
   enables programs to inspect and modify other active processes. Provide the
   option to entirely disable the use of `ptrace()` for all processes.
 
+- Maximize the bits of entropy used for mmap ASLR across all architectures.
+
 - Prevent hardlink and symlink TOCTOU races in world-writable directories.
 
 - Disallow unintentional writes to files in world-writable directories unless
@@ -146,6 +148,8 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
+- Disallow sensitive kernel information leaks in the console during boot.
+
 - Enable the kernel Electric-Fence sampling-based memory safety error detector
   which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.
 
@@ -169,9 +173,6 @@ configuration file.
 
 - Provide the option to disable the entire IPv6 stack to reduce attack surface.
 
-Disallow sensitive kernel information leaks in the console during boot. See
-the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
-
 ### Kernel Modules
 
 #### Kernel Module Signature Verification

From f8fa89b245d929aee9884937fdcf44a6551df4cf Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 14:21:59 +1000
Subject: [PATCH 07/13] Add details on `tcp_timestamps`

---
 usr/lib/sysctl.d/990-security-misc.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 800e626..481f463 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -347,9 +347,14 @@ net.ipv6.conf.default.accept_ra=0
 #net.ipv4.tcp_dsack=0
 
 ## Disable TCP timestamps to limit device fingerprinting via system time.
+## Timestamps allows round-trip time measurement and protection against wrapped sequence numbers.
+## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap.
+## Segments with wrapped numbers will be incorrectly discarded, reducing network performance.
 ##
+## https://datatracker.ietf.org/doc/html/rfc1323
 ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
+## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
 ##
 net.ipv4.tcp_timestamps=0
 

From 73db68dbf9a1f9ded95a593db36a4960ce06a173 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 9 Aug 2024 14:27:30 +1000
Subject: [PATCH 08/13] Add details on KFENCE

---
 etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 8a90108..aa55e94 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -127,10 +127,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
 ## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
 ## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
-## Aims to have very low processing overhead at each sampling interval
+## Aims to have very low processing overhead at each sampling interval.
 ## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
 ##
 ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+## https://google.github.io/kernel-sanitizers/KFENCE.html
+## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
+## https://lwn.net/Articles/835542/
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 

From e3a3207a4447568a17129afe9dde34debc465e21 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 16 Aug 2024 12:41:36 +1000
Subject: [PATCH 09/13] Clarify DMA hardening

---
 README.md                                  |  7 +++++--
 etc/default/grub.d/40_kernel_hardening.cfg | 12 +++++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index b1c0a89..e8e3083 100644
--- a/README.md
+++ b/README.md
@@ -161,8 +161,11 @@ configuration file.
 - Provide the option to disable support for all x86 processes and syscalls to reduce
   attack surface (when using Linux kernel version >= 6.7).
 
-- Enable strict IOMMU translation to protect against DMA attacks and disable
-  the busmaster bit on all PCI bridges during the early boot process.
+- Enable strict IOMMU translation to protect against some DMA attacks via the use
+  of both CPU manufacturer-specific drivers and kernel settings.
+
+- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
+  DMA before the IOMMU is configured. May cause boot failure on certain hardware.
 
 - Do not credit the CPU or bootloader as entropy sources at boot in order to
   maximize the absolute quantity of entropy in the combined pool.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index aa55e94..b6cc9df 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -184,12 +184,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
 
-## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
+## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
 
-## Enable and force use of IOMMU translation to protect against DMA attacks.
+## Enable and force use of IOMMU translation to protect against some DMA attacks.
 ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
 ## Ensures devices will never be able to access stale data contents.
 ##
@@ -201,9 +201,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
 
-## Disable the busmaster bit on all PCI bridges during the early boot process.
-## Patches weak points in some existing IOMMU implementations.
-## May lead to issues such as complete system boot failure on certain devices.
+## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
+## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
+## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
+## Assumes that the motherboard chipset and firmware are not malicious.
+## May cause complete boot failure on certain hardware with incompatible firmware.
 ##
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
 ## https://mjg59.dreamwidth.org/54433.html

From 9212a4e93754a4505be3fcf0ff4b029c073d2f07 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 16 Aug 2024 13:12:07 +1000
Subject: [PATCH 10/13] Typos

---
 README.md                               | 4 ++--
 usr/lib/sysctl.d/990-security-misc.conf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e8e3083..5d81c69 100644
--- a/README.md
+++ b/README.md
@@ -145,9 +145,9 @@ configuration file.
 - Force kernel panics on "oopses" to potentially indicate and thwart certain
   kernel exploitation attempts.
 
-- Provide the option to modify machine check exception handler.
+- Provide the option to modify the machine check exception handler.
 
-- Disallow sensitive kernel information leaks in the console during boot.
+- Prevent sensitive kernel information leaks in the console during boot.
 
 - Enable the kernel Electric-Fence sampling-based memory safety error detector
   which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index b72fa90..a245693 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -349,7 +349,7 @@ net.ipv6.conf.default.accept_ra=0
 #net.ipv4.tcp_dsack=0
 
 ## Disable TCP timestamps to limit device fingerprinting via system time.
-## Timestamps allows round-trip time measurement and protection against wrapped sequence numbers.
+## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers.
 ## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap.
 ## Segments with wrapped numbers will be incorrectly discarded, reducing network performance.
 ##

From a13298002350a39491a509d15633edb95a2e3edd Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 16 Aug 2024 13:24:25 +1000
Subject: [PATCH 11/13] Update README.md

---
 README.md | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 5d81c69..81f3ca7 100644
--- a/README.md
+++ b/README.md
@@ -42,19 +42,19 @@ space, user space, core dumps, and swap space.
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
 - Force the kernel to panic on "oopses" that can potentially indicate and thwart
-  certain kernel exploitation attempts. Provide the option to reboot immediately
-  on a kernel panic.
+  certain kernel exploitation attempts. Optional - Force immediate reboot on the
+  occurrence of a kernel panic.
 
 - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
-- Disable asynchronous I/O as `io_uring` has been the source
-  of numerous kernel exploits (when using Linux kernel version >= 6.6).
+- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
+  the source of numerous kernel exploits.
 
 - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
-  enables programs to inspect and modify other active processes. Provide the
-  option to entirely disable the use of `ptrace()` for all processes.
+  enables programs to inspect and modify other active processes. Optional - Disable
+  usage of `ptrace()` by all processes.
 
 - Maximize the bits of entropy used for mmap ASLR across all architectures.
 
@@ -91,15 +91,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
 
 - Do not accept IPv6 router advertisements and solicitations.
 
-- Provide the option to disable SACK and DSACK as they have historically been
-  a known vector for exploitation.
+- Optional - Disable SACK and DSACK as they have historically been a known
+  vector for exploitation.
 
 - Disable TCP timestamps as they can allow detecting the system time.
 
-- Provide the option to log packets with impossible source or destination
-  addresses to enable further inspection and analysis.
+- Optional - Log packets with impossible source or destination addresses to
+  enable further inspection and analysis.
 
-- Provide the option to enable IPv6 Privacy Extensions.
+- Optional - Enable IPv6 Privacy Extensions.
 
 ### mmap ASLR
 
@@ -145,7 +145,7 @@ configuration file.
 - Force kernel panics on "oopses" to potentially indicate and thwart certain
   kernel exploitation attempts.
 
-- Provide the option to modify the machine check exception handler.
+- Optional - Modify the machine check exception handler.
 
 - Prevent sensitive kernel information leaks in the console during boot.
 
@@ -154,12 +154,12 @@ configuration file.
 
 - Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
 
-- Provide the option to use kCFI as the default CFI implementation since it may be
-  slightly more resilient to attacks that are able to write arbitrary executables
-  in memory (when using Linux kernel version >= 6.2).
+- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
+  since it may be slightly more resilient to attacks that are able to write
+  arbitrary executables in memory.
 
-- Provide the option to disable support for all x86 processes and syscalls to reduce
-  attack surface (when using Linux kernel version >= 6.7).
+- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
+  to reduce attack surface.
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
   of both CPU manufacturer-specific drivers and kernel settings.
@@ -173,7 +173,7 @@ configuration file.
 - Obtain more entropy at boot from RAM as the runtime memory allocator is
   being initialized.
 
-- Provide the option to disable the entire IPv6 stack to reduce attack surface.
+- Optional - Disable the entire IPv6 stack to reduce attack surface.
 
 ### Kernel Modules
 

From 84376d23fc17d2ced890ffca0b05d15907d42a6f Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 16 Aug 2024 13:39:11 +1000
Subject: [PATCH 12/13] Add details on ASLR and move to user space section

---
 README.md                               |  4 ++--
 usr/lib/sysctl.d/990-security-misc.conf | 16 +++++++++-------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 81f3ca7..1d869a1 100644
--- a/README.md
+++ b/README.md
@@ -45,8 +45,6 @@ space, user space, core dumps, and swap space.
   certain kernel exploitation attempts. Optional - Force immediate reboot on the
   occurrence of a kernel panic.
 
-- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
-
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
 - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
@@ -63,6 +61,8 @@ space, user space, core dumps, and swap space.
 - Disallow unintentional writes to files in world-writable directories unless
   they are owned by the directory owner to mitigate some data spoofing attacks.
 
+- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
+
 - Increase the maximum number of memory map areas a process is able to utilize.
 
 - Disable core dump files and prevent their creation. If core dump files are
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index a245693..39aa63c 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -120,13 +120,6 @@ kernel.perf_event_paranoid=3
 #kernel.panic_on_oops=1
 #kernel.panic=-1
 
-## Enable ASLR for mmap base, stack, VDSO pages, and heap.
-## Heap randomization can lead to breakages with legacy applications.
-##
-## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
-##
-kernel.randomize_va_space=2
-
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
@@ -205,6 +198,15 @@ fs.protected_symlinks=1
 fs.protected_fifos=2
 fs.protected_regular=2
 
+## Enable ASLR for mmap base, stack, VDSO pages, and heap.
+## Forces shared libraries to be loaded to random addresses
+## Start location of PIE-linked binaries is randomized.
+## Heap randomization can lead to breakages with legacy applications.
+##
+## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
+##
+kernel.randomize_va_space=2
+
 ## Increase the maximum number of memory map areas a process is permitted to utilize.
 ## Addresses performance, crash, and start-up issues for some memory-intensive applications.
 ## Required to accommodate the very large number of guard pages created by hardened_malloc.

From cea8e753786d100ebe961ad74a99925e54d47771 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 16 Aug 2024 14:55:22 +1000
Subject: [PATCH 13/13] Consistent formating

---
 usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 3 +--
 usr/lib/sysctl.d/30_silent-kernel-printk.conf        | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
index b61a762..0400ad1 100644
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@@ -10,9 +10,8 @@
 ## Instead, ram-wipe will config-package-dev 'hide' this file.
 
 ## Disables kexec, which can be used to replace the running kernel.
-## Kexec is useful for live kernel patching without rebooting.
+## Useful for live kernel patching without rebooting.
 ##
-## For more information, see:
 ## https://en.wikipedia.org/wiki/Kexec
 ##
 kernel.kexec_load_disabled=1
diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
index 0d5e4aa..f8baa3f 100644
--- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf
+++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
@@ -2,10 +2,9 @@
 ## See the file COPYING for copying conditions.
 
 ## Prevent kernel information leaks in the console during boot.
-## Must be used in combination with the kernel boot parameters.
+## Must be used in conjunction with kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ##
-## For more information, refer to:
 ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
 ##
 kernel.printk=3 3 3 3