...
- Audit the system for setuid programs and remove any unnecessary packages containing them. Turn off the setuid bit on the remaining setuid programs which don't need to be setuid.
- Keep the system up to date.
- Treat kernel security updates as high-priority updates; schedule a reboot to install kernel updates on the evening of the upstream kernel package release at the latest.
- Use a Linux distribution which closely tracks the upstream kernel.org sources and run a custom-built kernel based on those sources, thus allowing us to apply kernel patches easily.Have multiple front-end machines serving user content with a load-balancer between them, allowing the serving machines to be shut down in series
- for rapid kernel upgradesDeploy a clustered environment, allowing individual servers to have their kernels upgraded immediately without a visible service outage.
It may be possible to use SELinux to reduce the likelihood of a local root privilege escalation. More research is required.
...