[arch-devops] Linux lockdown mode deployed
Jelle van der Waa
jelle at vdwaa.nl
Mon Dec 23 14:49:15 UTC 2019
Hi All,
I've deployed a new Linux hardening setting on all our VPS'es which is
available since 5.4. Which makes it harder for root to modify the
running kernel by shielding off some functionality for userland. [1]
No application should rely on this features so everything should still
work as normal.
Currently it is deployed as tmpfiles.d file which is suboptimal but
adding it to our bootloader seems to be hard since we currently already
enable btrfs via lineinfile. Maybe the grub configuration should live in
our ansible repository?
[1] https://git.archlinux.org/infrastructure.git/commit/?id=2c7538040f6353633adf4f6dc55ea23229a33bda
Greetings,
Jelle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20191223/dcde0ff7/attachment.sig>
More information about the arch-devops
mailing list