might want to point out that without distro patches, `kernel.perf_event_paranoid = 3` is same as `kernel.perf_event_paranoid = 2`
-
-
-
excellent point. Updated with a pointer to the patch: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#sysctls …
End of conversation
New conversation -
-
-
Very nice, we need to make this into a consumable format so more people use it like
@ansible playbook,@puppetize etc. -
I was thinking of adding a "make def_hardened" or something target to the kernel, though the per-arch pieces don't play nicely
End of conversation
New conversation -
-
-
Have you considered proposing a "make paranoidconfig" or similar?
-
yeah, it's on my list, but there's still so much low hanging fruit, I haven't spent time on it yet. :) patches welcome!
End of conversation
New conversation -
-
-
A few more: IA32_EMULATION=n, X86_X32=n (if not used), MODIFY_LDT_SYSCALL=n (and other old syscalls), LEGACY_VSYSCALL_NONE
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
you missed CONFIG_DEBUG_NOTIFIERS which has a check for a class of (by now historic) rootkits
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
interesting ! Thanks for sharing.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.