From 0dc37c49d144948f24f6eb74fa1d0757a8cc3a7d Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 5 Jun 2024 21:06:33 -0700
Subject: [PATCH] Update workstation sysctl

---
 etc/sysctl.d/99-workstation.conf | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/etc/sysctl.d/99-workstation.conf b/etc/sysctl.d/99-workstation.conf
index 4ac649d..ba47eb6 100644
--- a/etc/sysctl.d/99-workstation.conf
+++ b/etc/sysctl.d/99-workstation.conf
@@ -3,7 +3,8 @@
 dev.tty.ldisc_autoload = 0
 
 # https://access.redhat.com/solutions/1985633
-# Seems dangerous
+# Seems dangerous.
+# Roseta need this though, so if you use it comment this out.
 fs.binfmt_misc.status = 0
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
@@ -14,7 +15,7 @@ fs.protected_symlinks = 1
 fs.protected_hardlinks = 1
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
-# Disable coredumps
+# Disable coredumps.
 # For additional safety, disable coredumps using ulimit and systemd too.
 kernel.core_pattern=|/bin/false
 fs.suid_dumpable = 0
@@ -42,8 +43,6 @@ net.core.bpf_jit_harden = 2
 kernel.unprivileged_userns_clone = 1
 
 # Disable ptrace. Not needed on workstations.
-# Also, the Debian gVisor package from Google will just take priority over this with their
-# /etc/sysctl.d/999-gvisor.conf file.
 kernel.yama.ptrace_scope = 3
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl