diff options
| author |   Sebastien Douheret <sebastien.douheret@iot.bzh> | 2017-12-08 17:40:04 +0100 |
|---|---|---|
| committer | Sebastien Douheret <sebastien.douheret@iot.bzh> | 2017-12-08 17:40:35 +0100 |
| commit | df4bdd6e9e5669451e7f60ecdc5c9e0d25e3f726 (patch) | |
| tree | ab9ab609538816b61789ace9e5ad280cd1727a83 /security-blueprint/part-4/5-FileSystems.md | |
| parent | 981e9b9c4a40e248733d45cfedc6a512bdf95f5e (diff) | |
Added templating for section-xxx tags.
Security Blueprint doc uses specific tags to display arrays
(see docs/security-blueprint/README.md)
Signed-off-by: Sebastien Douheret <sebastien.douheret@iot.bzh>
Diffstat (limited to 'security-blueprint/part-4/5-FileSystems.md')
| -rw-r--r-- | security-blueprint/part-4/5-FileSystems.md | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/security-blueprint/part-4/5-FileSystems.md b/security-blueprint/part-4/5-FileSystems.md index e5ef733..78f2050 100644 --- a/security-blueprint/part-4/5-FileSystems.md +++ b/security-blueprint/part-4/5-FileSystems.md @@ -8,14 +8,14 @@ To reduce the attack surface, file system data is parsed by the kernel, so any l NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | --------------- | ------- Kernel-FileSystems-NFS-1 | `CONFIG_NFSD` | `n` Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -35,7 +35,7 @@ There are several security restrictions that can be set on a filesystem when it The following flags shall be used for mounting common filesystems: -<!-- config --> +<!-- section-config --> Domain | `Partition` | `Value` -------------------------- | ------------------- | ----------------------------------------------------------------- @@ -47,14 +47,14 @@ Kernel-FileSystems-Mount-5 | _Temporary storage_ | Add `nosuid`, `nodev` and `no Kernel-FileSystems-Mount-6 | `/dev/shm` | Add `nosuid`, `nodev` and `noexec`. Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`. -<!-- endconfig --> <!-- note --> +<!-- end-section-config --> <!-- section-note --> If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or add a remount with `noexec` and `nosuid` options to system startup. -<!-- endnote --> <!-- config --> +<!-- end-section-note --> <!-- section-config --> Domain | `Config` name | _State_ or `Value` -------------------------- | ----------------------- | ----------------------------------------------------------------------- Kernel-FileSystems-Mount-1 | `CONFIG_DEVTMPFS_MOUNT` | _Disabled_ or add remount with `noexec` and `nosuid` to system startup. -<!-- endconfig --> +<!-- end-section-config --> |