From d1119c38b6ad4193919d4b800de0a3cb014f92c1 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Wed, 17 Jul 2024 00:31:23 +1000
Subject: [PATCH] Apply changes from code review

---
 README.md                               | 10 ++++++----
 usr/lib/sysctl.d/990-security-misc.conf |  2 ++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 5d9b594..14d1a23 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,8 @@ configuration file.
 Significant hardening is applied by default to a myriad of components within kernel
 space, user space, core dumps, and swap space.
 
--   Restrict kernel addresses regardless of user privileges.
+-   Restrict access to kernel addresses through the us of kernel pointers regardless 
+    of user privileges.
 
 -   Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain 
     sensitive information.
@@ -33,7 +34,7 @@ space, user space, core dumps, and swap space.
 -   Disable `kexec` as it can be used to replace the running kernel.
 
 -   Entirely disables the SysRq key so that the Secure Attention Key (SAK)
-    can no longer be utilised.
+    can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
 -   Provide option to disable unprivileged user namespaces as they can lead to
     privilege escalation.
@@ -50,12 +51,13 @@ space, user space, core dumps, and swap space.
 
 -   Prevent hardlink and symlink TOCTOU races in world-writable directories.
 
--   Disallow unintentional writes to attacker-controlled files.
+-   Disallow unintentional writes to files in world-writable directories unless
+    they are owned by the directory owner to mitigate some data spoofing attacks.
 
 -   Increase the maximum number of memory map areas a process is able to utilise.
 
 -   Disable core dump files and prevent their creation. If core dump files are
-    enabled, they will be nammed based on `core.PID` instead of the default `core`.
+    enabled, they will be named based on `core.PID` instead of the default `core`.
 
 -   Limit the copying of potentially sensitive content in memory to the swap device.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index c1316be..3c80e23 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -215,8 +215,10 @@ kernel.core_uses_pid=1
 
 ## Limit the copying of memory to the swap device only if absolutely necessary.
 ## Minimises the likelihood of writing potentially sensitive contents to disk.
+## Not reccommmeded to set to zero since this disables periodic write behavior.
 ##
 ## https://en.wikipedia.org/wiki/Memory_paging#Linux
+## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
 ##
 vm.swappiness=1