about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilvino <silvino@bk.ru>2019-06-09 02:19:01 +0100
committerSilvino <silvino@bk.ru>2019-06-09 02:19:01 +0100
commit44ee76746ec6f23f3e67602770e4a04ab8471e95 (patch)
tree683431688f592c1fb87b03e1e7d7e1e985fd2045
parentf905c797c8f2ec87a8aa641a44c49fc1d0a23ebe (diff)
downloaddoc-44ee76746ec6f23f3e67602770e4a04ab8471e95.tar.gz
core index re-ordering and tools storage revision
-rw-r--r--core/apparmor.html4
-rw-r--r--core/conf/sysctl.conf463
-rw-r--r--core/exim.html14
-rw-r--r--core/hardening.html48
-rw-r--r--core/index.html58
-rw-r--r--core/network.html41
-rw-r--r--core/package.html16
-rw-r--r--core/samhain.html8
-rw-r--r--core/sysctl.html481
-rw-r--r--core/toolchain.html4
-rw-r--r--core/tty-terminal.html4
-rw-r--r--tools/storage.html61
12 files changed, 190 insertions, 1012 deletions
diff --git a/core/apparmor.html b/core/apparmor.html
index 9954593..5c9b541 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2.1. AppArmor</title>
+        <title>2.6.1. AppArmor</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.2.1. AppArmor</h1>
+        <h1>2.6.1. AppArmor</h1>
 
         <p>Check <a href="linux.html#configure">kernel configuration</a> or
         use the provided with <a href="reboot.html#linux">linux-gnu</a> port 
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index 4606791..771112a 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -3,51 +3,19 @@
 #
 
 kernel.printk = 7 1 1 4
+
 kernel.randomize_va_space = 2
+
 # Shared Memory
 #kernel.shmmax = 500000000
 # Total allocated file handlers that can be allocated
 # fs.file-nr=
 vm.mmap_min_addr=65536
+
 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
 kernel.pid_max = 65536
 
 #
-# Memory Protections
-#
-
-#  If you say Y here, all ioperm and iopl calls will return an error.
-#  Ioperm and iopl can be used to modify the running kernel.
-#  Unfortunately, some programs need this access to operate properly,
-#  the most notable of which are XFree86 and hwclock.  hwclock can be
-#  remedied by having RTC support in the kernel, so real-time 
-#  clock support is enabled if this option is enabled, to ensure 
-#  that hwclock operates correctly.
-#  
-#  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-#  you may not be able to boot into a graphical environment with this
-#  option enabled.  In this case, you should use the RBAC system instead.
-kernel.grsecurity.disable_priv_io = 1
-
-#  If you say Y here, attempts to bruteforce exploits against forking
-#  daemons such as apache or sshd, as well as against suid/sgid binaries
-#  will be deterred.  When a child of a forking daemon is killed by PaX
-#  or crashes due to an illegal instruction or other suspicious signal,
-#  the parent process will be delayed 30 seconds upon every subsequent
-#  fork until the administrator is able to assess the situation and
-#  restart the daemon.
-#  In the suid/sgid case, the attempt is logged, the user has all their
-#  existing instances of the suid/sgid binary terminated and will
-#  be unable to execute any suid/sgid binaries for 15 minutes.
-#  
-#  It is recommended that you also enable signal logging in the auditing
-#  section so that logs are generated when a process triggers a suspicious
-#  signal.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "deter_bruteforce" is created.
-kernel.grsecurity.deter_bruteforce = 1
-
-#
 # Filesystem Protections
 #
 
@@ -55,341 +23,9 @@ kernel.grsecurity.deter_bruteforce = 1
 # Increase system file descriptor limit
 fs.file-max = 65535
 
-#  If you say Y here, /tmp race exploits will be prevented, since users
-#  will no longer be able to follow symlinks owned by other users in
-#  world-writable +t directories (e.g. /tmp), unless the owner of the
-#  symlink is the owner of the directory. users will also not be
-#  able to hardlink to files they do not own.  If the sysctl option is
-#  enabled, a sysctl option with name "linking_restrictions" is created.
-kernel.grsecurity.linking_restrictions = 1
-
-
-#  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-#  that prevents it from being used as a security feature.  As Apache
-#  verifies the symlink by performing a stat() against the target of
-#  the symlink before it is followed, an attacker can setup a symlink
-#  to point to a same-owned file, then replace the symlink with one
-#  that targets another user's file just after Apache "validates" the
-#  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-#  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-#  will be in place for the group you specify. If the sysctl option
-#  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-#  created.
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 15
-
-#  if you say Y here, users will not be able to write to FIFOs they don't
-#  own in world-writable +t directories (e.g. /tmp), unless the owner of
-#  the FIFO is the same owner of the directory it's held in.  If the sysctl
-#  option is enabled, a sysctl option with name "fifo_restrictions" is
-#  created.
-kernel.grsecurity.fifo_restrictions = 1
-
-#  If you say Y here, a sysctl option with name "romount_protect" will
-#  be created.  By setting this option to 1 at runtime, filesystems
-#  will be protected in the following ways:
-#  * No new writable mounts will be allowed
-#  * Existing read-only mounts won't be able to be remounted read/write
-#  * Write operations will be denied on all block devices
-#  This option acts independently of grsec_lock: once it is set to 1,
-#  it cannot be turned off.  Therefore, please be mindful of the resulting
-#  behavior if this option is enabled in an init script on a read-only
-#  filesystem.
-#  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-#  and GRKERNSEC_IO should be enabled and module loading disabled via
-#  config or at runtime.
-#  This feature is mainly intended for secure embedded systems.
-#kernel.grsecurity.romount_protect = 1
-
-#  if you say Y here, the capabilities on all processes within a
-#  chroot jail will be lowered to stop module insertion, raw i/o,
-#  system and net admin tasks, rebooting the system, modifying immutable
-#  files, modifying IPC owned by another, and changing the system time.
-#  This is left an option because it can break some apps.  Disable this
-#  if your chrooted apps are having problems performing those kinds of
-#  tasks.  If the sysctl option is enabled, a sysctl option with
-#  name "chroot_caps" is created.
-kernel.grsecurity.chroot_caps = 1
-
-#kernel.grsecurity.chroot_deny_bad_rename = 1
-
-#  If you say Y here, processes inside a chroot will not be able to chmod
-#  or fchmod files to make them have suid or sgid bits.  This protects
-#  against another published method of breaking a chroot.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-#  created.
-kernel.grsecurity.chroot_deny_chmod = 1
-
-#  If you say Y here, processes inside a chroot will not be able to chroot
-#  again outside the chroot.  This is a widely used method of breaking
-#  out of a chroot jail and should not be allowed.  If the sysctl 
-#  option is enabled, a sysctl option with name 
-#  "chroot_deny_chroot" is created.
-kernel.grsecurity.chroot_deny_chroot = 1
-
-#  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-#  to a file descriptor of the chrooting process that points to a directory
-#  outside the filesystem will be stopped.  If the sysctl option
-#  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-kernel.grsecurity.chroot_deny_fchdir = 1
-
-#  If you say Y here, processes inside a chroot will not be allowed to
-#  mknod.  The problem with using mknod inside a chroot is that it
-#  would allow an attacker to create a device entry that is the same
-#  as one on the physical root of your system, which could range from
-#  anything from the console device to a device for your harddrive (which
-#  they could then use to wipe the drive or steal data).  It is recommended
-#  that you say Y here, unless you run into software incompatibilities.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "chroot_deny_mknod" is created.
-kernel.grsecurity.chroot_deny_mknod = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  mount or remount filesystems.  If the sysctl option is enabled, a
-#  sysctl option with name "chroot_deny_mount" is created.
-kernel.grsecurity.chroot_deny_mount = 1
-
-#  If you say Y here, processes inside a chroot will not be able to use
-#  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-#  works similar to chroot in that it changes the root filesystem.  This
-#  function could be misused in a chrooted process to attempt to break out
-#  of the chroot, and therefore should not be allowed.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-#  created.
-kernel.grsecurity.chroot_deny_pivot     = 1
-
-#  If you say Y here, processes inside a chroot will not be able to attach
-#  to shared memory segments that were created outside of the chroot jail.
-#  It is recommended that you say Y here.  If the sysctl option is enabled,
-#  a sysctl option with name "chroot_deny_shmat" is created.
-kernel.grsecurity.chroot_deny_shmat = 1
-
-#  If you say Y here, an attacker in a chroot will not be able to
-#  write to sysctl entries, either by sysctl(2) or through a /proc
-#  interface.  It is strongly recommended that you say Y here. If the
-#  sysctl option is enabled, a sysctl option with name
-#  "chroot_deny_sysctl" is created.
-kernel.grsecurity.chroot_deny_sysctl = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  connect to abstract (meaning not belonging to a filesystem) Unix
-#  domain sockets that were bound outside of a chroot.  It is recommended
-#  that you say Y here.  If the sysctl option is enabled, a sysctl option
-#  with name "chroot_deny_unix" is created.
-kernel.grsecurity.chroot_deny_unix = 1
-
-#  If you say Y here, the current working directory of all newly-chrooted
-#  applications will be set to the the root directory of the chroot.
-#  The man page on chroot(2) states:
-#  Note that usually chhroot does not change  the  current  working
-#  directory,  so  that `.' can be outside the tree rooted at
-#  `/'.  In particular, the  super-user  can  escape  from  a
-#  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-#  
-#  It is recommended that you say Y here, since it's not known to break
-#  any software.  If the sysctl option is enabled, a sysctl option with
-#  name "chroot_enforce_chdir" is created.
-kernel.grsecurity.chroot_enforce_chdir  = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
-#  getsid, or view any process outside of the chroot.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_findtask" is
-#  created.
-kernel.grsecurity.chroot_findtask = 1
-
-#  If you say Y here, processes inside a chroot will not be able to raise
-#  the priority of processes in the chroot, or alter the priority of
-#  processes outside the chroot.  This provides more security than simply
-#  removing CAP_SYS_NICE from the process' capability set.  If the
-#  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-#  is created.
-kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel Auditing
-#
-
-#  If you say Y here, the exec and chdir logging features will only operate
-#  on a group you specify.  This option is recommended if you only want to
-#  watch certain users instead of having a large amount of logs from the
-#  entire system.  If the sysctl option is enabled, a sysctl option with
-#  name "audit_group" is created.
-kernel.grsecurity.audit_group = 1
-
-#  If you say Y here, the exec and chdir logging features will only operate
-#  on a group you specify.  This option is recommended if you only want to
-#  watch certain users instead of having a large amount of logs from the
-#  entire system.  If the sysctl option is enabled, a sysctl option with
-#  name "audit_group" is created.
-kernel.grsecurity.audit_gid = 99
-
-#  If you say Y here, all execve() calls will be logged (since the
-#  other exec*() calls are frontends to execve(), all execution
-#  will be logged).  Useful for shell-servers that like to keep track
-#  of their users.  If the sysctl option is enabled, a sysctl option with
-#  name "exec_logging" is created.
-#  WARNING: This option when enabled will produce a LOT of logs, especially
-#  on an active system.
-kernel.grsecurity.exec_logging = 0				
-
-#  If you say Y here, all attempts to overstep resource limits will
-#  be logged with the resource name, the requested size, and the current
-#  limit.  It is highly recommended that you say Y here.  If the sysctl
-#  option is enabled, a sysctl option with name "resource_logging" is
-#  created.  If the RBAC system is enabled, the sysctl value is ignored.
-kernel.grsecurity.resource_logging = 1
-
-#  If you say Y here, all executions inside a chroot jail will be logged
-#  to syslog.  This can cause a large amount of logs if certain
-#  applications (eg. djb's daemontools) are installed on the system, and
-#  is therefore left as an option.  If the sysctl option is enabled, a
-#  sysctl option with name "chroot_execlog" is created.
-kernel.grsecurity.chroot_execlog = 0	
-
-#  If you say Y here, all attempts to attach to a process via ptrace
-#  will be logged.  If the sysctl option is enabled, a sysctl option
-#  with name "audit_ptrace" is created.
-#kernel.grsecurity.audit_ptrace = 1
-
-#  If you say Y here, all attempts to attach to a process via ptrace
-#  will be logged.  If the sysctl option is enabled, a sysctl option
-#  with name "audit_ptrace" is created.
-kernel.grsecurity.audit_chdir = 0
-
-#  If you say Y here, all mounts and unmounts will be logged.  If the
-#  sysctl option is enabled, a sysctl option with name "audit_mount" is
-#  created.
-kernel.grsecurity.audit_mount = 1
-
-#  If you say Y here, certain important signals will be logged, such as
-#  SIGSEGV, which will as a result inform you of when a error in a program
-#  occurred, which in some cases could mean a possible exploit attempt.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "signal_logging" is created.
-kernel.grsecurity.signal_logging = 1
-
-#  If you say Y here, all failed fork() attempts will be logged.
-#  This could suggest a fork bomb, or someone attempting to overstep
-#  their process limit.  If the sysctl option is enabled, a sysctl option
-#  with name "forkfail_logging" is created.
-kernel.grsecurity.forkfail_logging = 1
-
-#  If you say Y here, any changes of the system clock will be logged.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "timechange_logging" is created.
-kernel.grsecurity.timechange_logging = 1
-
-#  if you say Y here, calls to mmap() and mprotect() with explicit
-#  usage of PROT_WRITE and PROT_EXEC together will be logged when
-#  denied by the PAX_MPROTECT feature.  This feature will also
-#  log other problematic scenarios that can occur when PAX_MPROTECT
-#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
-#  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-#  is created.
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable Protections
-#
-
-
-#  if you say Y here, non-root users will not be able to use dmesg(8)
-#  to view the contents of the kernel's circular log buffer.
-#  The kernel's log buffer often contains kernel addresses and other
-#  identifying information useful to an attacker in fingerprinting a
-#  system for a targeted exploit.
-#  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-#  created.
-kernel.grsecurity.dmesg = 1
-
 # Hide symbol addresses in /proc/kallsyms
 kernel.kptr_restrict = 2
 
-#  If you say Y here, TTY sniffers and other malicious monitoring
-#  programs implemented through ptrace will be defeated.  If you
-#  have been using the RBAC system, this option has already been
-#  enabled for several years for all users, with the ability to make
-#  fine-grained exceptions.
-#  
-#  This option only affects the ability of non-root users to ptrace
-#  processes that are not a descendent of the ptracing process.
-#  This means that strace ./binary and gdb ./binary will still work,
-#  but attaching to arbitrary processes will not.  If the sysctl
-#  option is enabled, a sysctl option with name "harden_ptrace" is
-#  created.
-kernel.grsecurity.harden_ptrace = 1
-
-#  If you say Y here, unprivileged users will not be able to ptrace unreadable
-#  binaries.  This option is useful in environments that
-#  remove the read bits (e.g. file mode 4711) from suid binaries to
-#  prevent infoleaking of their contents.  This option adds
-#  consistency to the use of that file mode, as the binary could normally
-#  be read out when run without privileges while ptracing.
-#  
-#  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-#  is created.
-kernel.grsecurity.ptrace_readexec = 1
-
-#  If you say Y here, a change from a root uid to a non-root uid
-#  in a multithreaded application will cause the resulting uids,
-#  gids, supplementary groups, and capabilities in that thread
-#  to be propagated to the other threads of the process.  In most
-#  cases this is unnecessary, as glibc will emulate this behavior
-#  on behalf of the application.  Other libcs do not act in the
-#  same way, allowing the other threads of the process to continue
-#  running with root privileges.  If the sysctl option is enabled,
-#  a sysctl option with name "consistent_setxid" is created.
-kernel.grsecurity.consistent_setxid = 1
-
-#  If you say Y here, access to overly-permissive IPC objects (shared
-#  memory, message queues, and semaphores) will be denied for processes
-#  given the following criteria beyond normal permission checks:
-#  1) If the IPC object is world-accessible and the euid doesn't match
-#     that of the creator or current uid for the IPC object
-#  2) If the IPC object is group-accessible and the egid doesn't
-#     match that of the creator or current gid for the IPC object
-#  It's a common error to grant too much permission to these objects,
-#  with impact ranging from denial of service and information leaking to
-#  privilege escalation.  This feature was developed in response to
-#  research by Tim Brown:
-#  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-#  who found hundreds of such insecure usages.  Processes with
-#  CAP_IPC_OWNER are still permitted to access these IPC objects.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "harden_ipc" is created.
-kernel.grsecurity.harden_ipc = 1
-
-#  If you say Y here, you will be able to choose a gid to add to the
-#  supplementary groups of users you want to mark as "untrusted."
-#  These users will not be able to execute any files that are not in
-#  root-owned directories writable only by root.  If the sysctl option
-#  is enabled, a sysctl option with name "tpe" is created.
-kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 100
-
-#  If you say Y here, the group you specify in the TPE configuration will
-#  decide what group TPE restrictions will be *disabled* for.  This
-#  option is useful if you want TPE restrictions to be applied to most
-#  users on the system.  If the sysctl option is enabled, a sysctl option
-#  with name "tpe_invert" is created.  Unlike other sysctl options, this
-#  entry will default to on for backward-compatibility.
-kernel.grsecurity.tpe_invert = 0
-
-#  If you say Y here, all non-root users will be covered under
-#  a weaker TPE restriction.  This is separate from, and in addition to,
-#  the main TPE options that you have selected elsewhere.  Thus, if a
-#  "trusted" GID is chosen, this restriction applies to even that GID.
-#  Under this restriction, all non-root users will only be allowed to
-#  execute files in directories they own that are not group or
-#  world-writable, or in directories owned by root and writable only by
-#  root.  If the sysctl option is enabled, a sysctl option with name
-#  "tpe_restrict_all" is created.
-kernel.grsecurity.tpe_restrict_all = 1
-
-
-kernel.grsecurity.harden_tty = 1
-
 #
 # Network Protections
 #
@@ -455,7 +91,6 @@ net.ipv4.conf.default.rp_filter = 1
 #net.ipv6.conf.default.rp_filter = 1
 #net.ipv6.conf.all.rp_filter = 1
 
-
 # Make sure no one can alter the routing tables
 # Act as a router, necessary for Access Point
 net.ipv4.conf.all.accept_redirects = 0
@@ -495,96 +130,4 @@ net.ipv4.tcp_keepalive_time = 1800
 # Sen SynAck retries to 3
 net.ipv4.tcp_synack_retries = 3
 
-#  If you say Y here, neither TCP resets nor ICMP
-#  destination-unreachable packets will be sent in response to packets
-#  sent to ports for which no associated listening process exists.
-#  This feature supports both IPV4 and IPV6 and exempts the 
-#  loopback interface from blackholing.  Enabling this feature 
-#  makes a host more resilient to DoS attacks and reduces network
-#  visibility against scanners.
-#  
-#  The blackhole feature as-implemented is equivalent to the FreeBSD
-#  blackhole feature, as it prevents RST responses to all packets, not
-#  just SYNs.  Under most application behavior this causes no
-#  problems, but applications (like haproxy) may not close certain
-#  connections in a way that cleanly terminates them on the remote
-#  end, leaving the remote host in LAST_ACK state.  Because of this
-#  side-effect and to prevent intentional LAST_ACK DoSes, this
-#  feature also adds automatic mitigation against such attacks.
-#  The mitigation drastically reduces the amount of time a socket
-#  can spend in LAST_ACK state.  If you're using haproxy and not
-#  all servers it connects to have this option enabled, consider
-#  disabling this feature on the haproxy host.
-#  
-#  If the sysctl option is enabled, two sysctl options with names
-#  "ip_blackhole" and "lastack_retries" will be created.
-#  While "ip_blackhole" takes the standard zero/non-zero on/off
-#  toggle, "lastack_retries" uses the same kinds of values as
-#  "tcp_retries1" and "tcp_retries2".  The default value of 4
-#  prevents a socket from lasting more than 45 seconds in LAST_ACK
-#  state.
-kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine or run server
-#  applications from your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_all" is created.
-kernel.grsecurity.socket_all = 1
-
-#  Here you can choose the GID to disable socket access for. Remember to
-#  add the users you want socket access disabled for to the GID
-#  specified here.  If the sysctl option is enabled, a sysctl option
-#  with name "socket_all_gid" is created.
-kernel.grsecurity.socket_all_gid = 200
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine, but will be
-#  able to run servers.  If this option is enabled, all users in the group
-#  you specify will have to use passive mode when initiating ftp transfers
-#  from the shell on your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_client" is created.
-kernel.grsecurity.socket_client = 1
-
-#  Here you can choose the GID to disable client socket access for.
-#  Remember to add the users you want client socket access disabled for to
-#  the GID specified here.  If the sysctl option is enabled, a sysctl
-#  option with name "socket_client_gid" is created.
-kernel.grsecurity.socket_client_gid = 201
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine, but will be
-#  able to run servers.  If this option is enabled, all users in the group
-#  you specify will have to use passive mode when initiating ftp transfers
-#  from the shell on your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_client" is created.
-kernel.grsecurity.socket_server = 1
-
-#  Here you can choose the GID to disable server socket access for.
-#  Remember to add the users you want server socket access disabled for to
-#  the GID specified here.  If the sysctl option is enabled, a sysctl
-#  option with name "socket_server_gid" is created.
-kernel.grsecurity.socket_server_gid = 99
-
-#
-# Physical Protections
-#
-
-#  If you say Y here, a new sysctl option with name "deny_new_usb"
-#  will be created.  Setting its value to 1 will prevent any new
-#  USB devices from being recognized by the OS.  Any attempted USB
-#  device insertion will be logged.  This option is intended to be
-#  used against custom USB devices designed to exploit vulnerabilities
-#  in various USB device drivers.
-#  
-#  For greatest effectiveness, this sysctl should be set after any
-#  relevant init scripts.  This option is safe to enable in distros
-#  as each user can choose whether or not to toggle the sysctl.
-kernel.grsecurity.deny_new_usb = 0
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-kernel.grsecurity.grsec_lock = 0
-
 # End of file
diff --git a/core/exim.html b/core/exim.html
index 7e1fd28..3b86bb7 100644
--- a/core/exim.html
+++ b/core/exim.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.6. Exim</title>
+        <title>2.5. Exim</title>
     </head>
     <body>
         <a href="index.html">Core OS Index</a>
-        <h1>2.6. Exim</h1>
+        <h1>2.5. Exim</h1>
 
-        <h2 id="conf">2.6.1. Exim Configuration</h2>
+        <h2 id="conf">2.5.1. Exim Configuration</h2>
 
         <p>Exim come with default configuration we will change to mach system settings
         <a href="conf/etc/exim/exim.conf">/etc/exim/exim.conf</a>.</p>
@@ -17,7 +17,7 @@
         $ sudo prt-get depinst mailx
         </pre>
 
-        <h2 id="cert">2.6.2. Certificates</h2>
+        <h2 id="cert">2.5.2. Certificates</h2>
 
         <p>Exim creates a key for you if you just copy exim.conf and start daemon;</p>
 
@@ -64,7 +64,7 @@
 	# chmod 644 /etc/ssl/certs/exim.cert
 	</pre>
 
-        <h2 id="alias">2.6.3. Aliases</h2>
+        <h2 id="alias">2.5.3. Aliases</h2>
 
         <p>Exim come with default aliases we will change to mach system settings
         <a href="conf/etc/exim/aliases">/etc/exim/aliases;</a></p>
@@ -109,7 +109,7 @@
         ####
         </pre>
 
-        <h2 id="smarthost">2.6.4. Smarthost</h2>
+        <h2 id="smarthost">2.5.4. Smarthost</h2>
 
         <p>Tony Finch publish a nice
         <a href="http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/exim/etc/etc.cam/configure">configuration reference</a>.
@@ -133,7 +133,7 @@
         # exim -bt bob@remote.com
         </pre>
 
-        <h2 id="fetchmail">2.6. Fetchmail</h2>
+        <h2 id="fetchmail">2.5. Fetchmail</h2>
 
         <pre>
         $ prt-get depinst fetchmail
diff --git a/core/hardening.html b/core/hardening.html
index 1455398..8e9788f 100644
--- a/core/hardening.html
+++ b/core/hardening.html
@@ -2,25 +2,51 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2. Hardening</title>
+        <title>2.6. Hardening</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.2. Hardening</h1>
+        <h1>2.6. Hardening</h1>
 
-        <p>Check <a href="apparmor.html">apparmor</a>,
-        <a href="sysctl.html">sysctl</a>, 
-        <a href="toolchain.html">toolchain</a> and
-        <a href="samhain.html">samhain</a> before running tests.</p>
+        <h2>2.6.0.1 System configuration</h2>
 
-        <p>Mount some filesystems in read only</p>
-        <p>Check processes running as root</p>
-        <p>Check processes users premissions</p>
+        <dl>
+            <dt>File systems</dt>
+            <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd>
+            <dt>Sys</dt>
+            <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd>
+            <dt>Iptables</dt>
+            <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.</dd>
+            <dt>Apparmor</dt>
+            <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd>
+            <dt>Samhain</dt>
+            <dd>Check if <a href="samhain.html">samhain</a> is running.</dd>
+            <dt>Toolchain</dt>
+            <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd>
+        </dl>
+
+        <h2>System security</h2>
+
+        <pre>
+        $ sudo prt-get depinst checksec
+        </pre>
+
+        <dl>
+            <dt>User / Pam</dt>
+            <dd>Normal user is not part of wheel group
+            or have administration rights.</dd>
+            <dd>Disable su.</dd>
+            <dt>Processes</dt>
+            <dd>Check processes running as root</dd>
+            <dd>Check processes users premissions</dd>
+        </dl>
+
+        <h2>2.6.0.2 Lynis</h2>
 
         <pre>
-        $ sudo prt-get depinst checksec lynis
+        $ sudo prt-get depinst lynis
         </pre>
 
         <p>Lynis gives a view of system overall configuration, without changing
@@ -44,7 +70,7 @@
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
diff --git a/core/index.html b/core/index.html
index d19f9e0..c9d5d4b 100644
--- a/core/index.html
+++ b/core/index.html
@@ -103,49 +103,47 @@
 		    <li><a href="linux.html#remove">2.1.6. Remove</a></li>
 		</ul>
 	    </li>
-	    <li><a href="hardening.html">2.2. Hardening</a>
+	    <li><a href="network.html">2.2. Network</a>
 		<ul>
-		    <li><a href="apparmor.html">2.2.1. AppArmor</a></li>
-		    <li><a href="sysctl.html">2.2.2. Sysctl</a></li>
-		    <li><a href="toolchain.html">2.2.3. Toolchain</a></li>
-		    <li><a href="samhain.html">2.2.4. Samhain</a></li>
+		    <li><a href="network.html#resolv">2.2.1. Resolver</a></li>
+		    <li><a href="network.html#static">2.2.2. Static ip</a></li>
+		    <li><a href="network.html#iptables">2.2.3. Iptables</a></li>
+		    <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li>
+		    <li><a href="network.html#nm">2.2.5. NetworkManager</a></li>
 		</ul>
 	    </li>
-	    <li><a href="network.html">2.3. Network</a>
+	    <li><a href="package.html">2.3. Package Management</a>
 		<ul>
-		    <li><a href="network.html#resolv">2.3.1. Resolver</a></li>
-		    <li><a href="network.html#static">2.3.2. Static ip</a></li>
-		    <li><a href="network.html#iptables">2.3.3. Iptables</a></li>
-		    <li><a href="network.html#wpa">2.3.4. Wpa and dhcpd</a></li>
-		    <li><a href="network.html#nm">2.3.5. NetworkManager</a></li>
+		    <li><a href="package.html#sysup">2.3.1. Update system</a></li>
+		    <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li>
+		    <li><a href="package.html#ports">2.3.3. Ports collections</a></li>
+		    <li><a href="package.html#info">2.3.3. Show port information</a></li>
+		    <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li>
+		    <li><a href="package.html#printf">2.3.5. Print information</a></li>
 		</ul>
 	    </li>
-
-	    <li><a href="package.html">2.4. Package Management</a>
+	    <li><a href="tty-terminal.html">2.4. Terminals and shells</a>
 		<ul>
-		    <li><a href="package.html#sysup">2.4.1. Update system</a></li>
-		    <li><a href="package.html#depinst">2.4.2. Install ports and dependencies</a></li>
-		    <li><a href="package.html#ports">2.4.3. Ports collections</a></li>
-		    <li><a href="package.html#info">2.4.3. Show port information</a></li>
-		    <li><a href="package.html#depends">2.4.4. Show port dependencies</a></li>
-		    <li><a href="package.html#printf">2.4.5. Print information</a></li>
+		    <li><a href="dash.html">2.4.1. Dash</a></li>
+		    <li><a href="bash.html">2.4.2. Bash</a></li>
+		    <li><a href="tmux.html">2.4.3. Tmux</a></li>
 		</ul>
 	    </li>
-
-	    <li><a href="tty-terminal.html">2.5. Terminals and shells</a>
+	    <li><a href="exim.html">2.5. Exim</a>
 		<ul>
-		    <li><a href="dash.html">2.5.1. Dash</a></li>
-		    <li><a href="bash.html">2.5.2. Bash</a></li>
-		    <li><a href="tmux.html">2.5.3. Tmux</a></li>
+		    <li><a href="exim.html#conf">2.5.1. Exim configuration</a></li>
+		    <li><a href="exim.html#cert">2.5.2. Certificates</a></li>
+		    <li><a href="exim.html#alias">2.5.3. Aliases</a></li>
+		    <li><a href="exim.html#smarthost">2.5.4. Smarthost</a></li>
+		    <li><a href="exim.html#fetchmail">2.5.5. Fetchmail</a></li>
 		</ul>
 	    </li>
-	    <li><a href="exim.html">2.6. Exim</a>
+	    <li><a href="hardening.html">2.6. Hardening</a>
 		<ul>
-		    <li><a href="exim.html#conf">2.6.1. Exim configuration</a></li>
-		    <li><a href="exim.html#cert">2.6.2. Certificates</a></li>
-		    <li><a href="exim.html#alias">2.6.3. Aliases</a></li>
-		    <li><a href="exim.html#smarthost">2.6.4. Smarthost</a></li>
-		    <li><a href="exim.html#fetchmail">2.6.5. Fetchmail</a></li>
+		    <li><a href="apparmor.html">2.6.1. AppArmor</a></li>
+		    <li><a href="sysctl.html">2.6.2. Sysctl</a></li>
+		    <li><a href="toolchain.html">2.6.3. Toolchain</a></li>
+		    <li><a href="samhain.html">2.6.4. Samhain</a></li>
 		</ul>
 	    </li>
 
diff --git a/core/network.html b/core/network.html
index c87acf9..4a412ad 100644
--- a/core/network.html
+++ b/core/network.html
@@ -2,12 +2,12 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.3. Network</title>
+        <title>2.2. Network</title>
     </head>
     <body>
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.3. Network</h1>
+        <h1>2.2. Network</h1>
 
         <p>Operation of the network can be handle with init scripts or with
         <a href="#nm">network manager</a>;</p>
@@ -52,7 +52,7 @@
         described scripts then proceed to
         <a href="package.html#sysup">update system.</a></p>
 
-        <h2 id="resolv">2.3.1. Resolver</h2>
+        <h2 id="resolv">2.2.1. Resolver</h2>
 
         <p>This example will use
         <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
@@ -60,7 +60,7 @@
 
         <pre>
         # /etc/resolv.conf.head can replace this line
-        nameserver 213.73.91.35
+        nameserver 2.2.73.91.35
         # /etc/resolv.conf.tail can replace this line
         </pre>
 
@@ -68,7 +68,7 @@
         # chattr +i /etc/resolv.conf
         </pre>
 
-        <h2 id="static">2.3.2. Static IP</h2>
+        <h2 id="static">2.2.2. Static IP</h2>
 
         <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p>
 
@@ -115,7 +115,7 @@
         # ip route add default via ${GW}
         </pre>
 
-        <h2 id="iptables">2.3.3. Iptables</h2>
+        <h2 id="iptables">2.2.3. Iptables</h2>
 
         <p>For more information about firewall systems read arch wiki
         <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a>
@@ -269,7 +269,7 @@
         # iptables -L -n -v | less
         </pre>
 
-        <h3 id="ipt_scripts">2.3.3.1. Iptable scripts</h3>
+        <h3 id="ipt_scripts">2.2.3.1. Iptable scripts</h3>
 
         <p>Scripts help to setup iptables rules so they can be saved using iptables-save
         and later restored using iptables-restore utilities. Init script
@@ -300,7 +300,7 @@
         with your network configuration, and adjust
         <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a>, <a href="conf/ipt-bridge.sh">/etc/iptables/ipt-bridge.sh</a>, <a href="conf/ipt-open.sh">/etc/iptables/ipt-open.sh</a> according with host necessities.</p>
 
-        <h2 id="wpa">2.3.4. Wpa and dhcpd</h2>
+        <h2 id="wpa">2.2.4. Wpa and dhcpd</h2>
 
         <p>There is more information on
         <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
@@ -318,7 +318,7 @@
         # iwconfig wlp2s0 essid NAME key s:ABCDE12345
         </pre>
 
-        <h3>2.3.4.1. Wpa Supplicant</h3>
+        <h3>2.2.4.1. Wpa Supplicant</h3>
 
         <p>Configure wpa supplicant edit;</p>
 
@@ -348,7 +348,7 @@
         init script to auto load wpa configuration and dhcp
         client.</p>
 
-        <h3>2.3.4.2. Wpa Cli</h3>
+        <h3>2.2.4.2. Wpa Cli</h3>
 
         <pre>
         # wpa_cli
@@ -387,18 +387,33 @@
         &gt; save_config
         </pre>
 
-        <h2 id="nm">2.3.5. Network Manager</h2>
+        <h2 id="nm">2.2.5. Network Manager</h2>
+
+        <p>Wifi status;</p>
+
+        <pre>
+        $ nmcli radio wifi
+        $ nmcli radio wifi on
+        </pre>
 
         <p>List wifi networks;</p>
 
         <pre>
-        nmcli device wifi list
+        $ nmcli device wifi rescan
+        $ nmcli device wifi list
         </pre>
 
         <p>Connect to a wifi network;</p>
 
         <pre>
-        nmcli device wifi connect "network name" password "network password"
+        $ nmcli device wifi connect "network name" password "network password"
+        </pre>
+
+        <p>Edit and save network configuration;</p>
+
+        <pre>
+        $ nmcli connection edit "network name"
+        nmcli> save persistent
         </pre>
 
         <a href="index.html">Core OS Index</a>
diff --git a/core/package.html b/core/package.html
index e0f8eae..7d4c8b5 100644
--- a/core/package.html
+++ b/core/package.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.4. Package Management</title>
+        <title>2.3. Package Management</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.4. Package Management</h1>
+        <h1>2.3. Package Management</h1>
 
         <p>For more information read crux handbook Package management
         front-end:
@@ -57,7 +57,7 @@
         $ prt-get depinst prt-utils prt-get-bashcompletion
         </pre>
 
-        <h2 id="sysup">2.4.1. Update System</h2>
+        <h2 id="sysup">2.3.1. Update System</h2>
 
         <p>Before build software get latest version of port collections;</p>
 
@@ -87,7 +87,7 @@
         $ prt-get update -fr $(revdep)
         </pre>
 
-        <h2 id="depinst">2.4.2. Install port and dependencies</h2>
+        <h2 id="depinst">2.3.2. Install port and dependencies</h2>
 
         <p>Installing using prt-get tool;</p>
 
@@ -111,7 +111,7 @@
         <p>If you user pkgmk and pkgadd allways check if README, pre and post 
         instal files exist.</p>
 
-        <h3 id="ports">2.4.3. Ports collections</h3>
+        <h3 id="ports">2.3.3. Ports collections</h3>
 
         <p>Clone this documentation;</p>
 
@@ -148,7 +148,7 @@
         $ sudo ports -u 6c37
         </pre>
 
-        <h2 id="info">2.4.4. Show port information</h2>
+        <h2 id="info">2.3.4. Show port information</h2>
 
         <pre>
         $ prt-get info port_name
@@ -166,13 +166,13 @@
         $ pkginfo -o filename
         </pre>
 
-        <h2 id="depends">2.4.5. Show port dependencies</h2>
+        <h2 id="depends">2.3.5. Show port dependencies</h2>
 
         <pre>
         $ prt-get depends port_name
         </pre>
 
-        <h2 id="printf">2.4.6. Print information</h2>
+        <h2 id="printf">2.3.6. Print information</h2>
 
         <p>Example how to get ports installed from contrib. Maybe there is
         a "cleaner" way to this, for now is ok;</p>
diff --git a/core/samhain.html b/core/samhain.html
index d28a6d2..a209864 100644
--- a/core/samhain.html
+++ b/core/samhain.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2.4. Samhain</title>
+        <title>2.6.4. Samhain</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1 id="samhain">2.2.4. Samhain</h1>
+        <h1 id="samhain">2.6.4. Samhain</h1>
 
         <p>Read 
         <a href="http://www.la-samhna.de/samhain/manual/">Samhain Manual</a>,
@@ -37,7 +37,7 @@
             <dd>log file</dd>
         </dl>
 
-        <h2 id="conf">2.2.4.1. Configure</h2>
+        <h2 id="conf">2.6.4.1. Configure</h2>
 
         <p>For more information on configuration check 
         <a href="http://www.la-samhna.de/samhain/manual/filedef.htm">Monitoring Policies</a>.
@@ -234,7 +234,7 @@
         # samhain status
         </pre>
 
-        <h2 id="updatedb">2.2.4.2. Update database</h2>
+        <h2 id="updatedb">2.6.4.2. Update database</h2>
 
         <p><a href="http://www.la-samhna.de/samhain/manual/updating-the-file-signature-database.html">Manual</a>,
         You can update the database while the daemon is running, as long
diff --git a/core/sysctl.html b/core/sysctl.html
index d06afde..a5af197 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -2,24 +2,18 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2.2. Sysctl</title>
+        <title>2.6.2. Sysctl</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1 id="sysctl">2.2.2. Sysctl</h1>
+        <h1 id="sysctl">2.6.2. Sysctl</h1>
 
         <p>Sysctl references
         <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
         <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
-        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
-        <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p>
-
-        <p>Since kernels on machine-ports have <a href="pax.grsecurity.net">PaX</a>
-        and <a href="http://grsecurity.net/announce.php">grsecurity</a>,
-        <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow
-        values;</p>
+        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>.</p>
 
         <pre>
         #
@@ -27,51 +21,19 @@
         #
 
         kernel.printk = 7 1 1 4
+
         kernel.randomize_va_space = 2
+
         # Shared Memory
         #kernel.shmmax = 500000000
         # Total allocated file handlers that can be allocated
         # fs.file-nr=
         vm.mmap_min_addr=65536
+
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
         #
-        # Memory Protections
-        #
-
-        #  If you say Y here, all ioperm and iopl calls will return an error.
-        #  Ioperm and iopl can be used to modify the running kernel.
-        #  Unfortunately, some programs need this access to operate properly,
-        #  the most notable of which are XFree86 and hwclock.  hwclock can be
-        #  remedied by having RTC support in the kernel, so real-time
-        #  clock support is enabled if this option is enabled, to ensure
-        #  that hwclock operates correctly.
-        #
-        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-        #  you may not be able to boot into a graphical environment with this
-        #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 1
-
-        #  If you say Y here, attempts to bruteforce exploits against forking
-        #  daemons such as apache or sshd, as well as against suid/sgid binaries
-        #  will be deterred.  When a child of a forking daemon is killed by PaX
-        #  or crashes due to an illegal instruction or other suspicious signal,
-        #  the parent process will be delayed 30 seconds upon every subsequent
-        #  fork until the administrator is able to assess the situation and
-        #  restart the daemon.
-        #  In the suid/sgid case, the attempt is logged, the user has all their
-        #  existing instances of the suid/sgid binary terminated and will
-        #  be unable to execute any suid/sgid binaries for 15 minutes.
-        #
-        #  It is recommended that you also enable signal logging in the auditing
-        #  section so that logs are generated when a process triggers a suspicious
-        #  signal.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "deter_bruteforce" is created.
-        kernel.grsecurity.deter_bruteforce = 1
-
-        #
         # Filesystem Protections
         #
 
@@ -79,341 +41,9 @@
         # Increase system file descriptor limit
         fs.file-max = 65535
 
-        #  If you say Y here, /tmp race exploits will be prevented, since users
-        #  will no longer be able to follow symlinks owned by other users in
-        #  world-writable +t directories (e.g. /tmp), unless the owner of the
-        #  symlink is the owner of the directory. users will also not be
-        #  able to hardlink to files they do not own.  If the sysctl option is
-        #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 1
-
-
-        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-        #  that prevents it from being used as a security feature.  As Apache
-        #  verifies the symlink by performing a stat() against the target of
-        #  the symlink before it is followed, an attacker can setup a symlink
-        #  to point to a same-owned file, then replace the symlink with one
-        #  that targets another user's file just after Apache "validates" the
-        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-        #  will be in place for the group you specify. If the sysctl option
-        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-        #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 1
-        kernel.grsecurity.symlinkown_gid = 15
-
-        #  if you say Y here, users will not be able to write to FIFOs they don't
-        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
-        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
-        #  option is enabled, a sysctl option with name "fifo_restrictions" is
-        #  created.
-        kernel.grsecurity.fifo_restrictions = 1
-
-        #  If you say Y here, a sysctl option with name "romount_protect" will
-        #  be created.  By setting this option to 1 at runtime, filesystems
-        #  will be protected in the following ways:
-        #  * No new writable mounts will be allowed
-        #  * Existing read-only mounts won't be able to be remounted read/write
-        #  * Write operations will be denied on all block devices
-        #  This option acts independently of grsec_lock: once it is set to 1,
-        #  it cannot be turned off.  Therefore, please be mindful of the resulting
-        #  behavior if this option is enabled in an init script on a read-only
-        #  filesystem.
-        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-        #  and GRKERNSEC_IO should be enabled and module loading disabled via
-        #  config or at runtime.
-        #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 1
-
-        #  if you say Y here, the capabilities on all processes within a
-        #  chroot jail will be lowered to stop module insertion, raw i/o,
-        #  system and net admin tasks, rebooting the system, modifying immutable
-        #  files, modifying IPC owned by another, and changing the system time.
-        #  This is left an option because it can break some apps.  Disable this
-        #  if your chrooted apps are having problems performing those kinds of
-        #  tasks.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_caps" is created.
-        kernel.grsecurity.chroot_caps = 1
-
-        #kernel.grsecurity.chroot_deny_bad_rename = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chmod
-        #  or fchmod files to make them have suid or sgid bits.  This protects
-        #  against another published method of breaking a chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-        #  created.
-        kernel.grsecurity.chroot_deny_chmod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chroot
-        #  again outside the chroot.  This is a widely used method of breaking
-        #  out of a chroot jail and should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name
-        #  "chroot_deny_chroot" is created.
-        kernel.grsecurity.chroot_deny_chroot = 1
-
-        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-        #  to a file descriptor of the chrooting process that points to a directory
-        #  outside the filesystem will be stopped.  If the sysctl option
-        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-        kernel.grsecurity.chroot_deny_fchdir = 1
-
-        #  If you say Y here, processes inside a chroot will not be allowed to
-        #  mknod.  The problem with using mknod inside a chroot is that it
-        #  would allow an attacker to create a device entry that is the same
-        #  as one on the physical root of your system, which could range from
-        #  anything from the console device to a device for your harddrive (which
-        #  they could then use to wipe the drive or steal data).  It is recommended
-        #  that you say Y here, unless you run into software incompatibilities.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_mknod" is created.
-        kernel.grsecurity.chroot_deny_mknod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  mount or remount filesystems.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_deny_mount" is created.
-        kernel.grsecurity.chroot_deny_mount = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to use
-        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-        #  works similar to chroot in that it changes the root filesystem.  This
-        #  function could be misused in a chrooted process to attempt to break out
-        #  of the chroot, and therefore should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-        #  created.
-        kernel.grsecurity.chroot_deny_pivot     = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to attach
-        #  to shared memory segments that were created outside of the chroot jail.
-        #  It is recommended that you say Y here.  If the sysctl option is enabled,
-        #  a sysctl option with name "chroot_deny_shmat" is created.
-        kernel.grsecurity.chroot_deny_shmat = 1
-
-        #  If you say Y here, an attacker in a chroot will not be able to
-        #  write to sysctl entries, either by sysctl(2) or through a /proc
-        #  interface.  It is strongly recommended that you say Y here. If the
-        #  sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_sysctl" is created.
-        kernel.grsecurity.chroot_deny_sysctl = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  connect to abstract (meaning not belonging to a filesystem) Unix
-        #  domain sockets that were bound outside of a chroot.  It is recommended
-        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
-        #  with name "chroot_deny_unix" is created.
-        kernel.grsecurity.chroot_deny_unix = 1
-
-        #  If you say Y here, the current working directory of all newly-chrooted
-        #  applications will be set to the the root directory of the chroot.
-        #  The man page on chroot(2) states:
-        #  Note that usually chhroot does not change  the  current  working
-        #  directory,  so  that `.' can be outside the tree rooted at
-        #  `/'.  In particular, the  super-user  can  escape  from  a
-        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-        #
-        #  It is recommended that you say Y here, since it's not known to break
-        #  any software.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_enforce_chdir" is created.
-        kernel.grsecurity.chroot_enforce_chdir  = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
-        #  getsid, or view any process outside of the chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_findtask" is
-        #  created.
-        kernel.grsecurity.chroot_findtask = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to raise
-        #  the priority of processes in the chroot, or alter the priority of
-        #  processes outside the chroot.  This provides more security than simply
-        #  removing CAP_SYS_NICE from the process' capability set.  If the
-        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-        #  is created.
-        kernel.grsecurity.chroot_restrict_nice = 1
-
-        #
-        # Kernel Auditing
-        #
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 1
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_gid = 99
-
-        #  If you say Y here, all execve() calls will be logged (since the
-        #  other exec*() calls are frontends to execve(), all execution
-        #  will be logged).  Useful for shell-servers that like to keep track
-        #  of their users.  If the sysctl option is enabled, a sysctl option with
-        #  name "exec_logging" is created.
-        #  WARNING: This option when enabled will produce a LOT of logs, especially
-        #  on an active system.
-        kernel.grsecurity.exec_logging = 0
-
-        #  If you say Y here, all attempts to overstep resource limits will
-        #  be logged with the resource name, the requested size, and the current
-        #  limit.  It is highly recommended that you say Y here.  If the sysctl
-        #  option is enabled, a sysctl option with name "resource_logging" is
-        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
-        kernel.grsecurity.resource_logging = 1
-
-        #  If you say Y here, all executions inside a chroot jail will be logged
-        #  to syslog.  This can cause a large amount of logs if certain
-        #  applications (eg. djb's daemontools) are installed on the system, and
-        #  is therefore left as an option.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_execlog" is created.
-        kernel.grsecurity.chroot_execlog = 0
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        #kernel.grsecurity.audit_ptrace = 1
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_chdir = 0
-
-        #  If you say Y here, all mounts and unmounts will be logged.  If the
-        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
-        #  created.
-        kernel.grsecurity.audit_mount = 1
-
-        #  If you say Y here, certain important signals will be logged, such as
-        #  SIGSEGV, which will as a result inform you of when a error in a program
-        #  occurred, which in some cases could mean a possible exploit attempt.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "signal_logging" is created.
-        kernel.grsecurity.signal_logging = 1
-
-        #  If you say Y here, all failed fork() attempts will be logged.
-        #  This could suggest a fork bomb, or someone attempting to overstep
-        #  their process limit.  If the sysctl option is enabled, a sysctl option
-        #  with name "forkfail_logging" is created.
-        kernel.grsecurity.forkfail_logging = 1
-
-        #  If you say Y here, any changes of the system clock will be logged.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "timechange_logging" is created.
-        kernel.grsecurity.timechange_logging = 1
-
-        #  if you say Y here, calls to mmap() and mprotect() with explicit
-        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
-        #  denied by the PAX_MPROTECT feature.  This feature will also
-        #  log other problematic scenarios that can occur when PAX_MPROTECT
-        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
-        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-        #  is created.
-        kernel.grsecurity.rwxmap_logging = 1
-
-        #
-        # Executable Protections
-        #
-
-
-        #  if you say Y here, non-root users will not be able to use dmesg(8)
-        #  to view the contents of the kernel's circular log buffer.
-        #  The kernel's log buffer often contains kernel addresses and other
-        #  identifying information useful to an attacker in fingerprinting a
-        #  system for a targeted exploit.
-        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-        #  created.
-        kernel.grsecurity.dmesg = 1
-
         # Hide symbol addresses in /proc/kallsyms
         kernel.kptr_restrict = 2
 
-        #  If you say Y here, TTY sniffers and other malicious monitoring
-        #  programs implemented through ptrace will be defeated.  If you
-        #  have been using the RBAC system, this option has already been
-        #  enabled for several years for all users, with the ability to make
-        #  fine-grained exceptions.
-        #
-        #  This option only affects the ability of non-root users to ptrace
-        #  processes that are not a descendent of the ptracing process.
-        #  This means that strace ./binary and gdb ./binary will still work,
-        #  but attaching to arbitrary processes will not.  If the sysctl
-        #  option is enabled, a sysctl option with name "harden_ptrace" is
-        #  created.
-        kernel.grsecurity.harden_ptrace = 1
-
-        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
-        #  binaries.  This option is useful in environments that
-        #  remove the read bits (e.g. file mode 4711) from suid binaries to
-        #  prevent infoleaking of their contents.  This option adds
-        #  consistency to the use of that file mode, as the binary could normally
-        #  be read out when run without privileges while ptracing.
-        #
-        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-        #  is created.
-        kernel.grsecurity.ptrace_readexec = 1
-
-        #  If you say Y here, a change from a root uid to a non-root uid
-        #  in a multithreaded application will cause the resulting uids,
-        #  gids, supplementary groups, and capabilities in that thread
-        #  to be propagated to the other threads of the process.  In most
-        #  cases this is unnecessary, as glibc will emulate this behavior
-        #  on behalf of the application.  Other libcs do not act in the
-        #  same way, allowing the other threads of the process to continue
-        #  running with root privileges.  If the sysctl option is enabled,
-        #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 1
-
-        #  If you say Y here, access to overly-permissive IPC objects (shared
-        #  memory, message queues, and semaphores) will be denied for processes
-        #  given the following criteria beyond normal permission checks:
-        #  1) If the IPC object is world-accessible and the euid doesn't match
-        #     that of the creator or current uid for the IPC object
-        #  2) If the IPC object is group-accessible and the egid doesn't
-        #     match that of the creator or current gid for the IPC object
-        #  It's a common error to grant too much permission to these objects,
-        #  with impact ranging from denial of service and information leaking to
-        #  privilege escalation.  This feature was developed in response to
-        #  research by Tim Brown:
-        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-        #  who found hundreds of such insecure usages.  Processes with
-        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 1
-
-        #  If you say Y here, you will be able to choose a gid to add to the
-        #  supplementary groups of users you want to mark as "untrusted."
-        #  These users will not be able to execute any files that are not in
-        #  root-owned directories writable only by root.  If the sysctl option
-        #  is enabled, a sysctl option with name "tpe" is created.
-        kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 100
-
-        #  If you say Y here, the group you specify in the TPE configuration will
-        #  decide what group TPE restrictions will be *disabled* for.  This
-        #  option is useful if you want TPE restrictions to be applied to most
-        #  users on the system.  If the sysctl option is enabled, a sysctl option
-        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
-        #  entry will default to on for backward-compatibility.
-        kernel.grsecurity.tpe_invert = 1
-
-        #  If you say Y here, all non-root users will be covered under
-        #  a weaker TPE restriction.  This is separate from, and in addition to,
-        #  the main TPE options that you have selected elsewhere.  Thus, if a
-        #  "trusted" GID is chosen, this restriction applies to even that GID.
-        #  Under this restriction, all non-root users will only be allowed to
-        #  execute files in directories they own that are not group or
-        #  world-writable, or in directories owned by root and writable only by
-        #  root.  If the sysctl option is enabled, a sysctl option with name
-        #  "tpe_restrict_all" is created.
-        kernel.grsecurity.tpe_restrict_all = 1
-
-
-        kernel.grsecurity.harden_tty = 1
-
         #
         # Network Protections
         #
@@ -519,105 +149,18 @@
         # Sen SynAck retries to 3
         net.ipv4.tcp_synack_retries = 3
 
-        #  If you say Y here, neither TCP resets nor ICMP
-        #  destination-unreachable packets will be sent in response to packets
-        #  sent to ports for which no associated listening process exists.
-        #  This feature supports both IPV4 and IPV6 and exempts the
-        #  loopback interface from blackholing.  Enabling this feature
-        #  makes a host more resilient to DoS attacks and reduces network
-        #  visibility against scanners.
-        #
-        #  The blackhole feature as-implemented is equivalent to the FreeBSD
-        #  blackhole feature, as it prevents RST responses to all packets, not
-        #  just SYNs.  Under most application behavior this causes no
-        #  problems, but applications (like haproxy) may not close certain
-        #  connections in a way that cleanly terminates them on the remote
-        #  end, leaving the remote host in LAST_ACK state.  Because of this
-        #  side-effect and to prevent intentional LAST_ACK DoSes, this
-        #  feature also adds automatic mitigation against such attacks.
-        #  The mitigation drastically reduces the amount of time a socket
-        #  can spend in LAST_ACK state.  If you're using haproxy and not
-        #  all servers it connects to have this option enabled, consider
-        #  disabling this feature on the haproxy host.
-        #
-        #  If the sysctl option is enabled, two sysctl options with names
-        #  "ip_blackhole" and "lastack_retries" will be created.
-        #  While "ip_blackhole" takes the standard zero/non-zero on/off
-        #  toggle, "lastack_retries" uses the same kinds of values as
-        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
-        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
-        #  state.
-        kernel.grsecurity.ip_blackhole = 1
-        kernel.grsecurity.lastack_retries = 4
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine or run server
-        #  applications from your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 1
-
-        #  Here you can choose the GID to disable socket access for. Remember to
-        #  add the users you want socket access disabled for to the GID
-        #  specified here.  If the sysctl option is enabled, a sysctl option
-        #  with name "socket_all_gid" is created.
-        kernel.grsecurity.socket_all_gid = 200
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_client = 1
-
-        #  Here you can choose the GID to disable client socket access for.
-        #  Remember to add the users you want client socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_client_gid" is created.
-        kernel.grsecurity.socket_client_gid = 201
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_server = 1
-
-        #  Here you can choose the GID to disable server socket access for.
-        #  Remember to add the users you want server socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_server_gid" is created.
-        kernel.grsecurity.socket_server_gid = 99
-
-        #
-        # Physical Protections
-        #
-
-        #  If you say Y here, a new sysctl option with name "deny_new_usb"
-        #  will be created.  Setting its value to 1 will prevent any new
-        #  USB devices from being recognized by the OS.  Any attempted USB
-        #  device insertion will be logged.  This option is intended to be
-        #  used against custom USB devices designed to exploit vulnerabilities
-        #  in various USB device drivers.
-        #
-        #  For greatest effectiveness, this sysctl should be set after any
-        #  relevant init scripts.  This option is safe to enable in distros
-        #  as each user can choose whether or not to toggle the sysctl.
-        kernel.grsecurity.deny_new_usb = 0
-
-        #
-        # Restrict grsec sysctl changes after this was set
-        #
-        kernel.grsecurity.grsec_lock = 0
-
         # End of file
         </pre>
 
+        <p>Reload sysctl settings;</p>
+
+        <pre>
+        # sysctl --system
+        </pre>
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
diff --git a/core/toolchain.html b/core/toolchain.html
index 57113fd..9662217 100644
--- a/core/toolchain.html
+++ b/core/toolchain.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2.3. Toolchain</title>
+        <title>2.6.3. Toolchain</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1 id="toolchain">2.2.3. Toolchain</h1>
+        <h1 id="toolchain">2.6.3. Toolchain</h1>
 
         <p>Add flags to pkgmk configuration and change specific ports that
         don't build with hardening flags. More information about
diff --git a/core/tty-terminal.html b/core/tty-terminal.html
index 6eb08d3..d033ec2 100644
--- a/core/tty-terminal.html
+++ b/core/tty-terminal.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.5. Consoles, terminals and shells</title>
+        <title>2.4. Consoles, terminals and shells</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.5. Consoles, terminals and shells</h1>
+        <h1>2.4. Consoles, terminals and shells</h1>
 
         <dl>
             <dt>Consoles</dt>
diff --git a/tools/storage.html b/tools/storage.html
index 932e724..f90bca0 100644
--- a/tools/storage.html
+++ b/tools/storage.html
@@ -11,14 +11,66 @@
 
         <h2 id="fsck">1. Maintenance</h2>
 
-        <p>SMART provides statistics of disk firmware, this system
-        handle errors has their occur. Badblocks detect bad blocks
-        by writing and reading from disk in a destructive test.
-        Example of how to view SMART statistics of a disk;</p>
+        <p>SMART provides statistics of disk firmware,
+        this system handle errors has their occur. Badblocks        are detected by writing and reading from disk in
+        a destructive test. Example of how to view SMART
+        statistics of a disk;</p>
 
         <pre>
         # smartctl -t long /dev/sdb1
         # smartctl -a /dev/sdb1 | less
+        # hdparm -I /dev/sda | less
+        </pre>
+
+        <p>Mechanical hard drives spindown disks
+        and put heads in hold position to save energy
+        and protect the disk. This spindow spinup
+        can shorter the life expectancy of the hard
+        drive. Relevant output from smartctl;</p>
+
+        <p>Settings with hdparm [options] [device];</p>
+
+        <dl>
+            <dt>-B</dt>
+
+            <dd>Set the Advanced Power Management feature.
+            Possible values are between 1 and 255, low
+            values mean more aggressive power management
+            and higher values mean better performance.
+            Values from 1 to 127 permit spin-down, whereas
+            values from 128 to 254 do not. A value of 255
+            completely disables the feature.</dd>
+
+            <dt>-S</dt>
+
+            <dd>Set the standby (spindown) timeout for
+            the drive. The timeout specifies how long to
+            wait in idle (with no disk activity) before
+            turning off the motor to save power. The value
+            of 0 disables spindown, the values from 1 to
+            240 specify multiples of 5 seconds and values
+            from 241 to 251 specify multiples of 30
+            minutes.</dd>
+
+            <dt>-M</dt>
+
+            <dd>Set the Automatic Acoustic Management
+            feature. Most modern hard disk drives have the
+            ability to speed down the head movements to
+            reduce their noise output. The possible value
+            depends on the disk, some disks may not support
+            this feature.</dd>
+        </dl>
+
+        <pre>
+        # hdparm -S 0 /dev/sda
+        # hdparm -B 255 /dev/sda
+        </pre>
+
+        <p>Set persistent values using udev, edit /etc/udev/rules.d/69-hdparm.rules;</p>
+
+        <pre>
+        ACTION=="add", SUBSYSTEM=="block", KERNEL=="sda", RUN=="/usr/bin/hdparm -B 255 -S 0 /dev/sda"
         </pre>
 
         <p>Search for bad blocks using
@@ -28,6 +80,7 @@
         # badblocks -nsv /dev/sdb1
         </pre>
 
+
         <h2 id="mv">2. Moving data</h2>
 
         <p>Temp partition with 20M-50M;</p>