Update Hardening

Hardening.md

@@ -9,6 +9,7 @@ These are configurations performed during the compilation stage. All the setting
 - Gentoo hardened compiler & flags
 - SELinux support included
 - X11 and systemd support disabled
+- Musl libc used instead of GNU libc (glibc)
 
 ## Kernel
 
@@ -17,7 +18,7 @@ The kernel has been configured to utilize several security features that limit w
 - Kernel Self Protection Project enabled
 - Signed kernel module loading only
 - Quiet boot parameter
-- Common CPU vulnerabilities mitigated
+- Common CPU vulnerabilities mitigated when possible
 - Lockdown mode set to confidentiality
 - SELinux enabled
 - Unnecessary modules blacklisted
@@ -49,7 +50,8 @@ Various controls on the kernel's networking stack, filesystem stack, and on some
 - Root logon disabled
 - No superuser access on production builds
 - System files on non-system partitions only accessible by root
-- sshd disabled
+- Integrity of symlinks to system partition enforced by the kernel
+- sshd not included
 
 ## Updates
 
@@ -57,7 +59,8 @@ System updates are fully verified as well. In a secure build, signatures are req
 
 - Signed image updates
 - Signed system overlays
-- Updates performed over HTTPS
+- OTA updates performed strictly over HTTPS
+- Failed or tampered updates cause failover to known-good system slot
 
 ## Sandboxing
 
@@ -70,8 +73,9 @@ Applications are run in sandboxes by default so they do not make undesired modif
 
 ## Applications
 
-The default applications have been selected with security as a first priority.
+The default applications have been selected with security as a first priority. Also, smaller implementations are preferred to minimize the trusted computing base (TCB) of the system.
 
-- GNOME desktop environment
+- KDE desktop environment
 - Wayland display compositor
 - Trivalent browser
+- OpenRC init system