next up previous contents
Next: Put the seal command Up: Prepare the LIDS sealing Previous: The CAP_SYS_TTY_CONFIG capability   Contents

Choose the capabilities you want to remove

You must remove CAP_SYS_MODULE, CAP_SYS_RAWIO and CAP_SYS_ADMIN to be protected against trivial attacks against your system. I really encourage to disallow CAP_NET_ADMIN, CAP_SYS_PTRACE, CAP_LINUX_IMMUTABLE, CAP_KILL, CAP_SYS_RESOURCE, CAP_SYS_TIME and CAP_SYS_TTY_CONFIG.

Biondi Philippe 2000-02-24