[arch-devops] Linux lockdown mode deployed

Jelle van der Waa jelle at vdwaa.nl
Mon Dec 23 14:49:15 UTC 2019

Hi All,

I've deployed a new Linux hardening setting on all our VPS'es which is
available since 5.4. Which makes it harder for root to modify the
running kernel by shielding off some functionality for userland. [1]

No application should rely on this features so everything should still
work as normal.

Currently it is deployed as tmpfiles.d file which is suboptimal but
adding it to our bootloader seems to be hard since we currently already
enable btrfs via lineinfile. Maybe the grub configuration should live in
our ansible repository?

[1] https://git.archlinux.org/infrastructure.git/commit/?id=2c7538040f6353633adf4f6dc55ea23229a33bda


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20191223/dcde0ff7/attachment.sig>

More information about the arch-devops mailing list