Setting “kernel.kptr_restrict=1” with sysctl makes kernel symbols in
/proc/kallsyms only accessible to root which can make it more difficult
for a kernel exploit to resolve addresses/symbols. Setting it to 2
hides the symbols regardless of privileges.
Setting “kernel.dmesg_restrict=1” with sysctl restricts access to the kernel logs
which can give an attacker less information on what they can do.
Setting “kernel.unprivileged_bpf_disabled=1” and
“net.core.bpf_jit_harden=2” with sysctl hardens the BPF JIT compiler and restricts
it to root. It comes with a performance drop on systems that use the JIT
compiler a lot but this should only really effect servers.
Setting “vm.mmap_rnd_bits=32” and “vm.mmap_rnd_compat_bits=16” with sysctl improves KASLR effectiveness for mmap. This might break some things but I haven't had anything break on me yet.
Adding “slab_nomerge” as a boot parameter may also be useful.
slab_nomerge disables the merging of slabs of similar sizes. Sometimes a
slab can be used in a vulnerable way which an attacker can exploit. This may have a slight increase in memory usage.
Mounting /proc with hidepid=2 in /etc/fstab will hide other users’
processes from unprivileged users. This makes it a lot harder for an
attacker to get information about other running processes. Some processes (like systemd-logind) will break but you can add exceptions for them.