New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
ramlog: harden the zram mounting #6487
Conversation
this is to improve the score of /var/log for FILE-6374 in Lynis audit
Looks good! I appreciate security anaylysis and hardening 馃憤 |
yeah I consider that too... Both of them are missing but I'm...
oh yeah, the but for this, I'm not sure we can apply it to all users, in case there's some casual users are casually executing something from |
Yes, sorry.
Yeah, it's out of scope with the PR title, but also kind-of related in a way to the general PR, so why not discuss about the others while we're at it :) (my opinion)
build/lib/functions/image/partitioning.sh Lines 248 to 319 in aee4c49
build/packages/bsp/common/usr/sbin/armbian-install Lines 230 to 471 in aee4c49
Also for |
hmm I'm still unsure about /dev and /dev/shm, because most distros are not doing this by default AFAIK, only Alpine Linux does the /dev and /dev/shm securely more readings:
so... unless if Armbian really hardcore on security, I think it's best to leave the |
Thanks for checking this out!
Yeah. We should keep this in out mind for later though. But there are a lot more things that we should do first to improve Armbian's security 馃槄 |
Description
this is to improve the score of /var/log for FILE-6374 in Lynis audit
before
after
Also, I saw that when using tmpfs, the mount options are already hardened.
build/packages/bsp/common/usr/lib/armbian/armbian-ramlog
Line 133 in aee4c49
So for the consistency, why not we do the same when using zram? 馃槈
How Has This Been Tested?
Run Lynis with the parameters below
Checklist: