net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
+
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 2
# This protects against various TCP attacks, such as DoS against or injection
# of arbitrary segments into prematurely closed connections.
net.ipv4.tcp_rfc1337 = 1
+
+# Include PID in file names of generated core dumps
+kernel.core_uses_pid = 1