From 85a71f067a06fcfcc059fcacd5f63af4c4cc62fe Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 27 Dec 2021 21:17:06 -0500
Subject: [PATCH] more info

---
 collections/_evergreen/linux-desktop.html | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/collections/_evergreen/linux-desktop.html b/collections/_evergreen/linux-desktop.html
index 5edce888b7..c62b776dd2 100644
--- a/collections/_evergreen/linux-desktop.html
+++ b/collections/_evergreen/linux-desktop.html
@@ -170,6 +170,14 @@ <h5>Linux-Hardened</h5>
 <h5>Hardened memory allocator</h5>
 <p>The <a href="https://github.com/GrapheneOS/hardened_malloc">hardened memory allocator</a> from <a href="https://grapheneos.org/">GrapheneOS</a> can be used on Linux distributions. It is available by default on Whonix and is available as an <a href="https://wiki.archlinux.org/title/Security#Hardened_malloc">AUR package</a> on Arch based distributions. If you are using the AUR package, consider setting up <code>LD_PRELOAD</code> as described in the <a href="https://wiki.archlinux.org/title/Security#Hardened_malloc">Arch Wiki</a>.</p>
 
+<h5>Umask</h5>
+<p>Consider changing the default UMASK for both regular users and root to 077.</p>
+
+<h5>Mountpoint hardening</h5>
+Consider adding <code>nodev</code>, <code>noexec</code>, <code>nosuid</code> to mountpoints which do not need them. Typically, these could be applied to <code>/boot</code>, <code>/boot/efi</code>, <code>/home</code>, <code>/root</code>, <code>/var</code>.
+If you use <a href="https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/">Toolbox</a>, <code>/var/log/journal</code> must not have any of those options.
+If you are on Arch Linux, do not apply <code>noexec</code> to <code>/var/tmp</code>.
+
 <h5>USBGuard</h5>
 <p>Consider following the <a href="https://wiki.archlinux.org/title/USBGuard">Arch Wiki</a> to set up USBGuard.</p>