Updated fstab and added entropy

docs/alpine-desktop-setup/installation.md

@@ -49,12 +49,12 @@ clock_systohc="NO"
 Edit `/etc/fstab` for correct mounts:
 
 ```
-/dev/disk/by-label/efi  /boot/efi   vfat    defaults                        0 2
+/dev/disk/by-label/efi  /boot/efi   vfat    defaults,nodev,nosuid,noexec    0 2
 /dev/vg<m>/root<n>      /           ext4    defaults,noatime                0 1
-/dev/vg<m>/home<n>      /home       ext4    defaults,noatime,nodev          0 1
+/dev/vg<m>/home<n>      /home       ext4    defaults,noatime,nosuid,nodev   0 1
 /dev/vg<m>/tmp<n>       /tmp        ext4    defaults,nodev,nosuid,noexec    0 1
 /dev/vg<m>/var<n>       /var        ext4    defaults,nodev,nosuid,noexec    0 1
-/dev/vg<m>/nix<n>       /nix        ext4    defaults,nodev,nosuid           0 1
+/dev/vg<m>/nix<n>       /nix        ext4    defaults,noatime,nodev,nosuid   0 1
 proc                    /proc       proc    nosuid,nodev,noexec,hidepid=2   0 0
 ```
 

docs/alpine-desktop-setup/post-install/security.md

@@ -2,6 +2,10 @@
 
 There are a few things that have to be done to optimize the security of the system.
 
+Here are a few of the sources used:
+
+* [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).
+
 ## Apparmor and LSM
 
 Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:
@@ -33,7 +37,7 @@ You can check the status of apparmor using `apparmor-utils`:
 
 ## Cmdline
 
-There are a lot of kernel settings which can be passed to the command line to make a system more secure. [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel) describes each of their function and how they improve security of the system so lets add them to `/etc/kernel-hooks/secureboot.conf`:
+There are a lot of kernel settings which can be passed to the command line to make a system more secure. So lets add them to `/etc/kernel-hooks/secureboot.conf`:
 
 ```
 cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot"
@@ -45,7 +49,7 @@ After reconfiguring `kernel-hooks` try to reboot and it should boot. Although th
 
 ## Sysctl
 
-More kernel settings can be configured through sysctl. All these settings are also explained on [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel). Edit the file `/etc/sysctl.d/main.conf`:
+More kernel settings can be configured through sysctl. Edit the file `/etc/sysctl.d/main.conf`:
 
 ```
 # Main security configuration.
@@ -60,6 +64,7 @@ dev.tty.ldisc_autoload=0
 kernel.kexec_load_disabled=1
 kernel.sysrq=0
 kernel.perf_event_paranoid=3
+random.trust_cpu=off
 
 ## Network
 net.ipv4.tcp_syncookies=1
@@ -90,7 +95,6 @@ fs.protected_regular=2
 
 ## For hardened_malloc
 vm.max_map_count=1048576
-
 ```
 
 This list is still incomplete.
@@ -125,3 +129,17 @@ You can also use the light variant of hardened-malloc because the default one ma
 ```
 /usr/lib/libhardened_malloc-light.so
 ```
+
+## Entropy
+
+Improve the security of the system by improving the entropy and thus randomness. Install `jitterentropy-library`:
+
+```
+# apk add jitterentropy-library
+```
+
+And create a config file in `/usr/lib/modules-load.d/jitterentropy.conf` so that the kernel module gets loaded:
+
+```
+jitterentropy_rng
+```