Improving readme

Author: mattaereal

README.md

@@ -12,30 +12,31 @@ below.
 There's also a minimized version under the `minimal` branch.
 
 ## Requirements
+
 1. Visual Studio Code.
 1. DevContainer extension by MS: `ms-vscode-remote.remote-containers`.
 1. Must have installed on your local OS: `docker` and `docker-buildx`.
 
 ## Kick-off
+
 1. Start the docker service, and make sure your user is in the `docker` group. Otherwise, add
-   yourself to it but you'll have to log in back again.
+yourself to it but you'll have to log in back again.
 2. Clone this repo, if you want a minimal version checkout `minimal`.
 3. Open the folder with **vscode** how you like. Running `code .` works well.
 4. Select **Reopen in Container** and wait. This will build the container volume.
 5. If this is your first time, you'll be prompted to press enter on a console log that triggers the
-   terminal.
+terminal.
 6. If not you can go to the extensions section on your side, click the **Remote Explorer** tab and
-    select the active devcontainer.
+select the active devcontainer.
 
 ## Usage
+
 If you open the **Command Palette** (Ctrl+Shift+p or whatever your shortcut is) you
- can access several features:
-- You can attach VS Code to a running container, where you can open any folder
- or Clone a repository.
-- You can open new folders or workspaces of your liking inside the current 
-volume.
-- You can even clone a new repository in a new volume based on the same
- devcontainer.
+can access several features:
+
+- You can attach VS Code to a running container, where you can open any folder or Clone a repository.
+- You can open new folders or workspaces of your liking inside the current volume.
+- You can even clone a new repository in a new volume based on the same devcontainer.
 
 ## Features Overview
 
@@ -63,10 +64,12 @@ volume.
 - tintinweb.vscode-decompiler
 
 ### Frameworks
+
 - **Foundry**: Really fast modular toolkit (forge, anvil, cast).
 - **Hardhat**: Dev environment to develop, deploy, test and debug.
 
 ### Security Tools
+
 - **Fuzzing**:
   - **Medusa**: Parallelized, coverage-guided, mutational Solidity smart contract fuzzing, powered by go-ethereum.
   - **Echidna**: Fuzz testing for Ethereum contracts (prebuilt binary).
@@ -78,20 +81,22 @@ volume.
   - **Semgrep**: Lightweight static analysis with custom rule definitions.
 
 - **Symbolic execution**:
-  - **Mythril**: A symbolic-execution-based securty analysis tool for EVM bytecode. 
+  - **Mythril**: A symbolic-execution-based securty analysis tool for EVM bytecode.
   - **Halmos**: A symbolic testing tool for EVM smart contracts.
 
 - **Decompilers**:
   - **Panoramix**: Smart contract decompiler.
- 
+
 - **Other**:
   - **Slither-LSP**: Language server for enhanced contract analysis.
-  - **napalm**: A project management utility for custom solidity vulnerability detectors.
+  - **napalm**: A project management utility for custom solidity vulnerability detectors. To include
+    some default collections you need to install napalm-core manually.
   - **Heimdall**: An advanced EVM smart contract toolkit specializing in bytecode analysis and
     extracting information from unverified contracts.
   - **Aderyn**: Rust-based Solidity AST analyzer.
 
 ### Utilities
+
 - **solc-select**: Solc version manager for multiple Solidity versions.
 - **vyper**: Pythonic language for Ethereum smart contracts.
 - **Package Managers**:
@@ -102,66 +107,79 @@ volume.
   - **uv**: Utility manager.
   - **nvm**: Node.js version manager.
 
-
 ### Languages
+
 - **JavaScript**, **Python**, **Go**, **Rust**, **Vyper**, **Solidity**.
 
 ### Shell
+
 **ZSH**. Configured with Oh-My-ZSH and autocompletions for: **medusa**, **anvil**, **cast**, **forge**.
 
 ### Additional Repositories
+
 - **building-secure-contracts**: Repository with security-focused Solidity examples.
 
 ### Notes
+
 - Remember to disable telemetry. `Ctrl+Shift+P > Open Settings (UI) >` type `telemetry` and uncheck
 all the boxes. Alternatively you can add them directly by going to `Open Settings (JSON)`, example:
+
 ```json
   "telemetry.telemetryLevel": "off",
   "gitlens.telemetry.enabled": false,
   "partialDiff.enableTelemetry": false,
-  ```
-
+```
 
-## Manual interventions & info
+### Manual interventions & info
 
 ### Hardening: Enabling SELinux
+
 SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system that restricts processes and users to only the resources they are explicitly allowed to access, enhancing system security.
 
 You can check if you have this already enabled by running `sudo sestatus`
 
 If you don't have SELinux installed, and you really want up your game, and protect your host from
 container escapes go ahead and install it. Find whichever guide convinves you the most! Afterward,
 enable it inside `/etc/docker/daemon.json` (it should be enabled by default afaik).
+
 ```bash
 ❯ cat /etc/docker/daemon.json 
 {
   "selinux-enabled": true
 }
 ```
 
-To manually disable SELinux you can uncomment the following line:
+### Hardening: Enabling seccomp
+
+seccomp is a Linux kernel feature that restricts the system calls that a process can make. It's a more
+restrictive security mechanism than SELinux.
+
+To manually enable seccomp you can specify a profile like this:
+
 ```json
-    // Disable SELinux.
-    // "--security-opt", "seccomp=unconfined"
+  "--security-opt", "seccomp=profile.json"
 ```
 
 ### Hardening: Enabling AppArmor
+
 AppArmor is a Linux security module that enforces file and network access restrictions for applications through profiles. It sometimes can be more straighforward than SELinux.
 
-You can check it has been enabled by running `sudo apparmor_status`. 
+You can check it has been enabled by running `sudo apparmor_status`.
 
 This has been enabled via the argument:
+
 ```json
 "--security-opt", "apparmor:docker-default"`
 ```
 
-
 ### Hardening: Dropping capabilities
+
 Capabilities in Linux are fine-grained permissions that allow processes to perform specific
 privileged operations without granting full root privileges. They break down the all-or-nothing
 nature of root access into smaller, specific rights, improving security.
 
-We have done this by running the following argument: 
+We have done this by running the following argument:
+
 ```json
 "--cap-drop=ALL"
 ```
@@ -170,21 +188,24 @@ This allows us to reduce attack surface by limiting privileged operations. And a
 processes as full root.
 
 A few examples:
+
 - `CAP_NET_ADMIN`: Allows network administration (e.g., configuring interfaces).
 - `CAP_CHOWN`: Allows changing file ownership.
 
-
 ### Hardening: No new privileges
+
 There's a flag that allows you to avoid getting the user more privilages than it already has. So if
 you want to use **sudo** or elevate privilages, you can restart your container after commenting the
 following line:
+
 ```json
 "--security-opt", "no-new-privileges",
 ```
 
 ### Hardening: Read-only filesystem
+
 This may be one of the safest configurations out there but a hard one to use, at least for
-development environments. 
+development environments.
 
 It's trickier because it limits a lot what you can do. But if you want to
 experiment by yourself, you can start by enabling the `"--read-only"` flag and troubleshooting under
@@ -197,7 +218,7 @@ the `mount` section which volumes are mandatory needed as writable.
 - Lets you enforce the need for @inheritdoc in public/external functions.
 - Can integrate on your daily workflow, or just as a final check.
 
-```
+```bash
 npx @defi-wonderland/natspec-smells --include "src/**/*.sol"
 ```
 
@@ -224,11 +245,13 @@ npx @defi-wonderland/natspec-smells --include "src/**/*.sol"
    ```
 
 3. Run
+
    ```bash
    yarn natspec-smells
    ```
 
 ### Semgrep
+
 Currently semgrep supports [Solidity](https://semgrep.dev/docs/language-support/) in `experimental` mode. Some of the rules may not work until Solidity is in `beta` at least.
 
 > **Important:** Some of the rules utilize the [taint mode](https://semgrep.dev/docs/writing-rules/data-flow/taint-mode), which is restricted to the same function in the open-source version of semgrep. To take advantage of intra-procedural taint analysis, you must include the `--pro` flag with each command. Please note that this requires semgrep Pro.
@@ -278,7 +301,9 @@ and manage multiple versions of tools like Go, Python, Node.js, and more, all in
 especially useful for projects requiring specific tool versions.
 
 #### Install Plugins
+
 Add the plugin for the language or tool you need:
+
 ```bash
 asdf plugin add <language/tool>
 asdf plugin list all
@@ -289,25 +314,29 @@ Python: `asdf plugin add python`
 Node.js: `asdf plugin add nodejs`
 
 #### You can list and install specific versions
+
 ```bash
 asdf install golang 1.20.5
 asdf install python 3.11.5
 asdf install nodejs 18.15.0
 ```
 
 #### Make a version be used globally
+
 ```bash
 asdf global golang 1.20.5
 asdf global python 3.11.5
 ```
 
 #### Make a version be used locally
+
 ```bash
 asdf local golang 1.19.2
 asdf local python 3.10.4
 ```
 
 ### Install different node versions with nvm
+
 ```bash
 # Install the latest version
 nvm install --lts
@@ -320,5 +349,7 @@ nvm ls
 ```
 
 ### Links
+
 - Article (references this repo's branch article): [Where do you run your code?](https://blog.theredguild.org/where-do-you-run-your-code/)
+- Article (references this repo's branch article): [Where do you run your code II? - hardening](https://blog.theredguild.org/where-do-you-run-your-code-part-ii-2/)
 - Workshop: [Come and build your own devContainer!](https://eth-security-explorations.notion.site/Come-and-build-your-own-devContainer-13b3c0d74d7f448f836419281d916369) @ the-mu