Next: Put the seal command
Up: Prepare the LIDS sealing
Previous: The CAP_SYS_TTY_CONFIG capability
Contents
You must remove CAP_SYS_MODULE, CAP_SYS_RAWIO and
CAP_SYS_ADMIN to be protected against trivial attacks against
your system. I really encourage to disallow CAP_NET_ADMIN,
CAP_SYS_PTRACE, CAP_LINUX_IMMUTABLE, CAP_KILL,
CAP_SYS_RESOURCE, CAP_SYS_TIME and
CAP_SYS_TTY_CONFIG.
Biondi Philippe
2000-02-24