spelling

usr/lib/sysctl.d/990-security-misc.conf

@@ -2,18 +2,18 @@
 ## See the file COPYING for copying conditions.
 
 ## NOTE:
-## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is
+## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf
-## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf.
+## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf.
 ## https://github.com/Kicksecure/security-misc/pull/135
 
-## This configuration file is split into 5 sections:
+## This configuration file is divided into 5 sections:
 ## 1. Kernel Space
 ## 2. User Space
 ## 3. Core Dumps
 ## 4. Swap Space
 ## 5. Networking
 
-## See the documentation below for details on the majority of the selected commands.
+## For detailed explanations of most of the selected commands, refer to:
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
@@ -25,20 +25,20 @@
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 ## https://wiki.archlinux.org/title/Security#Kernel_hardening
 
-## Restrict kernel addresses via /proc and other interfaces regardless of user privileges.
+## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges.
 ## Kernel pointers expose specific locations in kernel memory.
 ##
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 ##
 kernel.kptr_restrict=2
 
-## Restrict access to the kernel log buffer to CAP_SYSLOG.
+## Restrict access to the kernel log buffer to users with CAP_SYSLOG.
 ## Kernel logs often contain sensitive information such as kernel pointers.
 ##
 kernel.dmesg_restrict=1
 
 ## Prevent kernel information leaks in the console during boot.
-## Must be used in combination with the kernel boot parameters.
+## Must be used in conjunction with kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ##
 ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
@@ -54,23 +54,23 @@ kernel.dmesg_restrict=1
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2
 
-## Restrict loading TTY line disciplines to CAP_SYS_MODULE.
+## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
-## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl.
+## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
 ##
 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
 ## https://lkml.org/lkml/2019/4/15/890
 ##
 dev.tty.ldisc_autoload=0
 
-## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE.
+## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE.
-## Reduces likelihood of use-after-free exploits from heap sprays.
+## Reduces the likelihood of use-after-free exploits from heap sprays.
 ##
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
 ## https://duasynt.com/blog/linux-kernel-heap-spray
 ##
 vm.unprivileged_userfaultfd=0
 
-## Disables kexec which can be used to replace the running kernel.
+## Disables kexec, which can be used to replace the running kernel.
 ## Useful for live kernel patching without rebooting.
 ##
 ## https://en.wikipedia.org/wiki/Kexec
@@ -80,7 +80,7 @@ vm.unprivileged_userfaultfd=0
 #kernel.kexec_load_disabled=1
 
 ## Disable the SysRq key to prevent leakage of kernel information.
-## The Secure Attention Key (SAK) can no longer be utilised.
+## The Secure Attention Key (SAK) can no longer be utilized.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
 ## https://www.kicksecure.com/wiki/SysRq
@@ -88,10 +88,10 @@ vm.unprivileged_userfaultfd=0
 ##
 kernel.sysrq=0
 
-## Restrict user namespaces to CAP_SYS_ADMIN.
+## Restrict user namespaces to users with CAP_SYS_ADMIN.
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
-## Restricting is well-known to cause breakages across numerous software.
+## Restricting is known to cause breakages across numerous software packages.
 ##
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
@@ -100,7 +100,7 @@ kernel.sysrq=0
 ##
 #kernel.unprivileged_userns_clone=0
 
-## Restricts kernel profiling to CAP_PERFMON.
+## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.
 ## Other distributions such as Ubuntu and Fedora may permit further restricting.
 ##
@@ -110,7 +110,7 @@ kernel.sysrq=0
 kernel.perf_event_paranoid=3
 
 ## Enable ASLR for mmap base, stack, VDSO pages, and heap.
-## Heap randomisation can lead to breakages with legacy applications.
+## Heap randomization can lead to breakages with legacy applications.
 ##
 ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
 ##
@@ -124,7 +124,7 @@ kernel.randomize_va_space=2
 ##
 kernel.io_uring_disabled=2
 
-## 2.User Space:
+## 2. User Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 
@@ -143,8 +143,8 @@ kernel.io_uring_disabled=2
 ##
 kernel.yama.ptrace_scope=2
 
-## Maximise bits of entropy for improved effectiveness of mmap ASLR.
+## Maximize bits of entropy for improved effectiveness of mmap ASLR.
-## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86).
+## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).
 ## Both explicit sysctl are made redundant due to automation.
 ## Do NOT enable either sysctl - displaying only for clarity.
 ##
@@ -156,9 +156,9 @@ kernel.yama.ptrace_scope=2
 #vm.mmap_rnd_compat_bits=16
 
 ## Prevent hardlink creation by users who do not have read/write/ownership of source file.
-## Only allow symlinks to be followed when outside of a world-writable sticky directories.
+## Only allow symlinks to be followed when outside of world-writable sticky directories.
 ## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner.
-## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user.
+## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user.
 ## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp.
 ##
 ## https://wiki.archlinux.org/title/Security#File_systems
@@ -169,16 +169,16 @@ fs.protected_hardlinks=1
 fs.protected_symlinks=1
 
 ## Disallow writes to files in world-writable sticky directories unless owned by the directory owner.
-## Also applies to group writable sticky directories to make data spoofing attacks more difficult.
+## Also applies to group-writable sticky directories to make data spoofing attacks more difficult.
 ## Prevents unintentional writes to attacker-controlled files.
 ##
 fs.protected_fifos=2
 fs.protected_regular=2
 
-## Increase the maximum number of memory map areas a process is permitted to utilise.
+## Increase the maximum number of memory map areas a process is permitted to utilize.
-## Addresses performance, crash, and start-up issues for some memory intensive applications.
+## Addresses performance, crash, and start-up issues for some memory-intensive applications.
 ## Required to accommodate the very large number of guard pages created by hardened_malloc.
-## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead.
+## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead.
 ##
 ## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/
 ## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems
@@ -192,7 +192,7 @@ vm.max_map_count=1048576
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
 
 ## Disable core dump files by preventing any pattern names.
-## This setting may be overwritten by systemd is is not comprehensive.
+## This setting may be overwritten by systemd and is not comprehensive.
 ## Core dumps are also disabled in security-misc via other means.
 ##
 ## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps
@@ -204,7 +204,7 @@ kernel.core_pattern=|/bin/false
 ##
 fs.suid_dumpable=0
 
-## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth.
+## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth.
 ## If core dumps are permitted, only useful if PID listings are hidden from non-root users.
 ##
 kernel.core_uses_pid=1
@@ -214,8 +214,8 @@ kernel.core_uses_pid=1
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap
 
 ## Limit the copying of memory to the swap device only if absolutely necessary.
-## Minimises the likelihood of writing potentially sensitive contents to disk.
+## Minimizes the likelihood of writing potentially sensitive contents to disk.
-## Not reccommmeded to set to zero since this disables periodic write behavior.
+## Not recommended to set to zero since this disables periodic write behavior.
 ##
 ## https://en.wikipedia.org/wiki/Memory_paging#Linux
 ## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
@@ -242,7 +242,7 @@ net.ipv4.tcp_syncookies=1
 net.ipv4.tcp_rfc1337=1
 
 ## Enable reverse path filtering (source validation) of packets received from all interfaces.
-## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899.
+## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
 ##
 ## https://en.wikipedia.org/wiki/IP_address_spoofing
 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
@@ -252,7 +252,7 @@ net.ipv4.conf.all.rp_filter=1
 net.ipv4.conf.default.rp_filter=1
 
 ## Disable ICMP redirect acceptance and redirect sending messages.
-## Prevents man-in-the-middle attacks and minimises information disclosure.
+## Prevents man-in-the-middle attacks and minimizes information disclosure.
 ##
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
 ##
@@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1
 ##
 net.ipv4.icmp_ignore_bogus_error_responses=1
 
-## Disable source routing which allows users redirect network traffic.
+## Disable source routing which allows users to redirect network traffic.
 ## Prevents man-in-the-middle attacks in which the traffic is redirected.
 ##
 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
@@ -323,10 +323,10 @@ net.ipv6.conf.default.accept_ra=0
 net.ipv4.tcp_timestamps=0
 
 ## Enable logging of packets with impossible source or destination addresses.
-## Martian and unroutable packets may be used for dangerous purposes.
+## Martian and unroutable packets may be used for malicious purposes.
-## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets.
+## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.
-## Good for troubleshooting and diagnostics but not necessary by default.
+## Useful for troubleshooting and diagnostics but not necessary by default.
-## Known for causing performance issues especially on systems with multiple interfaces.
+## Known to cause performance issues, especially on systems with multiple interfaces.
 ##
 ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets
 ## https://github.com/Kicksecure/security-misc/issues/214
@@ -336,19 +336,19 @@ net.ipv4.tcp_timestamps=0
 #net.ipv4.conf.all.log_martians=1
 #net.ipv4.conf.default.log_martians=1
 
-## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses.
+## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
-## The temporary/privacy address is used as the source of all outgoing traffic.
+## The temporary/privacy address is used as the source for all outgoing traffic.
 ## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf.
 ## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf.
-## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf.
+## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf.
 ##
-## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions.
+## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions.
 ##
 ## https://datatracker.ietf.org/doc/html/rfc4941
 ## https://github.com/Kicksecure/security-misc/pull/145
 ## https://github.com/Kicksecure/security-misc/issues/184
 ##
-## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages.
+## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
 #net.ipv6.conf.all.use_tempaddr=2
 #net.ipv6.conf.default.use_tempaddr=2