====== Linux Hardening Guide - Kernel attack surface reduction ======

It is best to disable any functionality that is not absolutely required as to minimize potential kernel attack surface.

  * These features do not necessarily have to be dangerous; they could simply be benign code that is removed to reduce attack surface.
  * Never disable random things that you do not understand.

The following are some examples that may be of use, depending on your setup.

----

===== Boot parameters =====

Boot parameters can often be used to reduce attack surface. One such example is:

<code bash>
ipv6.disable=1
</code>

This disables the entire IPv6 stack which may not be required if you have not migrated to it.

  * Do not use this boot parameter if you are using IPv6.

----