Disable kexec, to make our attack surface a bit smaller.
Showing with 5 additions and 0 deletions
|...||...||@@ -97,3 +97,7 @@ kernel address map from some external source. This is not hard, but|
|certainly not all malware has such functionality.|
|For this reason, we also make sure to purge `/boot/System.map`.|
|### `kernel.kexec_load_disabled = 1`|
|kexec is dangerous: it enables replacement of the running kernel.|