1 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
2 kernel.kptr_restrict = 2
4 # Avoid kernel memory address exposures via dmesg.
5 kernel.dmesg_restrict = 1
7 # Improve KASLR effectiveness for mmap.
9 vm.mmap_rnd_compat_bits = 16
11 # Turn on hard- and symlink protection
12 fs.protected_symlinks = 1
13 fs.protected_hardlinks = 1
15 # Don't allow writes to files and FIFOs that we don't own in world writable sticky
16 # directories, unless they are owned by the owner of the directory.
17 fs.protected_fifos = 2
18 fs.protected_regular = 2
20 # Include PID in file names of generated core dumps
21 kernel.core_uses_pid = 1
23 # Block non-uid-0 profiling
24 kernel.perf_event_paranoid = 3
26 # Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
27 # from loading vulnerable line disciplines with the TIOCSETD ioctl.
28 dev.tty.ldisc_autoload = 0