spelling

README.md

@@ -16,10 +16,10 @@ configuration file.
 Significant hardening is applied by default to a myriad of components within kernel
 space, user space, core dumps, and swap space.
 
--   Restrict access to kernel addresses through the us of kernel pointers regardless
+- Restrict access to kernel addresses through the use of kernel pointers regardless
   of user privileges.
 
--   Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
+- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain
   sensitive information.
 
 - Prevent kernel information leaks in the console during boot.
@@ -28,33 +28,33 @@ space, user space, core dumps, and swap space.
 
 - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
 
--   Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the
+- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the
   likelihood of use-after-free exploits.
 
 - Disable `kexec` as it can be used to replace the running kernel.
 
--   Entirely disables the SysRq key so that the Secure Attention Key (SAK)
-    can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
+- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
+  can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
 - Provide the option to disable unprivileged user namespaces as they can lead to
   substantial privilege escalation.
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
--   Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
+- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
 
 - Disable asynchronous I/O (when using Linux kernel version >= 6.6).
 
 - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
   enables programs to inspect and modify other active processes. Provide the
-    option to also entirely disable the use of `ptrace()` for all processes.
+  option to entirely disable the use of `ptrace()` for all processes.
 
 - Prevent hardlink and symlink TOCTOU races in world-writable directories.
 
 - Disallow unintentional writes to files in world-writable directories unless
   they are owned by the directory owner to mitigate some data spoofing attacks.
 
--   Increase the maximum number of memory map areas a process is able to utilise.
+- Increase the maximum number of memory map areas a process is able to utilize.
 
 - Disable core dump files and prevent their creation. If core dump files are
   enabled, they will be named based on `core.PID` instead of the default `core`.
@@ -67,17 +67,17 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
 
 - Protect against TCP time-wait assassination hazards.
 
--   Enables reverse path filtering (source validation) of packets received
+- Enable reverse path filtering (source validation) of packets received
   from all interfaces to prevent IP spoofing.
 
 - Disable ICMP redirect acceptance and redirect sending messages to
-    prevent man-in-the-middle attacks and minimise information disclosure.
+  prevent man-in-the-middle attacks and minimize information disclosure.
 
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
 - Ignore bogus ICMP error responses.
 
--   Disable source routing which allows users redirect network traffic that
+- Disable source routing which allows users to redirect network traffic that
   can result in man-in-the-middle attacks.
 
 - Do not accept IPv6 router advertisements and solicitations.
@@ -85,9 +85,9 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
 - Provide the option to disable SACK and DSACK as they have historically been
   a known vector for exploitation.
 
--   Disable TCP timestamps as it can allow detecting the system time.
+- Disable TCP timestamps as they can allow detecting the system time.
 
--   Provide the option to log of packets with impossible source or destination
+- Provide the option to log packets with impossible source or destination
   addresses to enable further inspection and analysis.
 
 - Provide the option to enable IPv6 Privacy Extensions.
@@ -109,19 +109,19 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.
 
--   Disable merging of slabs with similar size which reduces the risk of
+- Disable merging of slabs with similar size, which reduces the risk of
   triggering heap overflows and limits influencing slab cache layout.
 
--   Enable memory zeroing at both allocation and free time which mitigate some
+- Enable memory zeroing at both allocation and free time, which mitigates some
   use-after-free vulnerabilities by erasing sensitive information in memory.
 
--   Enable the kernel page allocator to randomise free lists to limit some data
-    exfiltration and ROP attacks especially during the early boot process.
+- Enable the kernel page allocator to randomize free lists to limit some data
+  exfiltration and ROP attacks, especially during the early boot process.
 
--   Enable kernel page table isolation increase KASLR effectiveness and also
+- Enable kernel page table isolation to increase KASLR effectiveness and also
   mitigate the Meltdown CPU vulnerability.
 
--   Enables randomisation of the kernel stack offset on syscall entries to harden
+- Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.
 
 - Disable vsyscalls as they are vulnerable to ROP attacks and have now been
@@ -142,10 +142,10 @@ configuration file.
   the busmaster bit on all PCI bridges during the early boot process.
 
 - Do not credit the CPU or bootloader as entropy sources at boot in order to
-    maximise the absolute quantity of entropy in the combined pool.
+  maximize the absolute quantity of entropy in the combined pool.
 
 - Obtain more entropy at boot from RAM as the runtime memory allocator is
-    being initialised.
+  being initialized.
 
 - Provide option to disable the entire IPv6 stack to reduce attack surface.
 
@@ -156,7 +156,7 @@ the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
 
 #### Kernel Module Signature Verification
 
-Not yet due to issues:
+Not yet implemented due to issues:
 
 - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
 - https://github.com/dell/dkms/issues/359
@@ -167,7 +167,7 @@ See:
 
 #### Disables the loading of new modules to the kernel after the fact
 
-Not yet due to issues:
+Not yet implemented due to issues:
 
 - https://github.com/Kicksecure/security-misc/pull/152
 
@@ -191,13 +191,13 @@ modules from automatically starting.
 - Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
   kernel panics, and are generally only used by legacy devices.
 
--   Miscellaneous: Blacklist an assortment other modules to prevent them from
+- Miscellaneous: Blacklist an assortment of other modules to prevent them from
   automatically loading.
 
 Specific kernel modules are entirely disabled to reduce attack surface via
 `/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
-modules from starting. This approach should not be considered comprehensive,
-rather it is a form of badness enumeration. Any potential candidates for future
+modules from starting. This approach should not be considered comprehensive;
+rather, it is a form of badness enumeration. Any potential candidates for future
 disabling should first be blacklisted for a suitable amount of time.
 
 - File Systems: Disable uncommon and legacy file systems.
@@ -215,9 +215,9 @@ disabling should first be blacklisted for a suitable amount of time.
 
 - Network File Systems: Disable uncommon and legacy network file systems.
 
--   Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
+- Network Protocols: A wide array of uncommon and legacy network protocols are disabled.
 
--   Miscellaneous: Disable an assortment other modules such as those required
+- Miscellaneous: Disable an assortment of other modules such as those required
   for amateur radio, floppy disks, and vivid.
 
 - Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
@@ -246,24 +246,24 @@ disabling should first be blacklisted for a suitable amount of time.
 - An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
   `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
   early as possible. This is implemented for `initramfs-tools` only because
-    this is not needed for `dracut` because `dracut` does that by default, at
+  this is not needed for `dracut` as `dracut` does that by default, at
   least on `systemd` enabled systems. Not researched for non-`systemd` systems
   by the author of this part of the readme.
 
 ## Network hardening
 
-Not yet due to issues:
+Not yet implemented due to issues:
 
 - https://github.com/Kicksecure/security-misc/pull/145
 
 - https://github.com/Kicksecure/security-misc/issues/184
 
 - Unlike version 4, IPv6 addresses can provide information not only about the
-    originating network, but also the originating device. We prevent this from
+  originating network but also the originating device. We prevent this from
   happening by enabling the respective privacy extensions for IPv6.
 
 - In addition, we deny the capability to track the originating device in the
-    network at all, by using randomized MAC addresses per connection per
+  network at all, by using randomized MAC addresses per connection by
   default.
 
 See:
@@ -320,7 +320,7 @@ A systemd service is triggered on boot to remount all sensitive partitions and
 directories with significantly more secure hardened mount options. Since this
 would require manual tuning for a given specific system, we handle it by
 creating a very solid configuration file for that very system on package
-install.
+installation.
 
 Not enabled by default yet. In development. Help welcome.
 
@@ -342,15 +342,15 @@ Not enabled by default yet. In development. Help welcome.
 - Abort login for users with locked passwords -
   `/usr/libexec/security-misc/pam-abort-on-locked-password`.
 
--   Logging into the root account from a virtual, serial, whatnot console is
+- Logging into the root account from a virtual, serial, or other console is
   prevented by shipping an existing and empty `/etc/securetty` file (deletion
   of `/etc/securetty` has a different effect).
 
 This package does not yet automatically lock the root account password. It is
-not clear if this would be sane in such a package although, it is recommended to
+not clear if this would be sane in such a package, although it is recommended to
 lock and expire the root account.
 
-In new Kicksecure builds, root account will be locked by package
+In new Kicksecure builds, the root account will be locked by package
 dist-base-files.
 
 See: