Merge pull request #113 from mudcam/sandbox/nieutin

Integration of Eli Mordechai's comments.

1 files changed, 15 insertions, 5 deletions

diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md
index 822c928..d7af446 100644
--- a/security-blueprint/part-4/2-Memory.md
+++ b/security-blueprint/part-4/2-Memory.md
@@ -44,6 +44,15 @@ Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`
 
 <!-- end-section-config -->
 
+<!-- section-note -->
+
+- Enabling swap at runtime require `CAP_SYS_ADMIN`.
+- Swap block device is usually under root:disk.
+- Linux never swaps kernel pages.
+- If swap disabling is not possible, swap encryption should be enabled.
+
+<!-- end-section-note -->
+
 --------------------------------------------------------------------------------
 
 <!-- pagebreak -->
@@ -79,10 +88,10 @@ Domain                | `Config` name              | `Value`
 --------------------- | -------------------------- | -------
 Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`
 
-Other defenses include things like shadow stacks.
-
 <!-- end-section-config -->
 
+Other defenses include things like shadow stacks.
+
 --------------------------------------------------------------------------------
 
 ## Disable access to /dev/mem
@@ -137,9 +146,10 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks.
 
 <!-- section-config -->
 
-Domain                          | `compiler` and `linker` options | `Value`
-------------------------------- | ------------------------------- | -------
-Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE`             | `2`
+Domain                          | `compiler` options and `config` name | `Value`
+------------------------------- | ------------------------------------ | -------
+Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE`                  | `2`
+Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE`              | `y`
 
 <!-- end-section-config -->