moved ldisc_autoload and unprivileged_userfaultfd; updated comments

Author: k4yt3x

sysctl.conf

@@ -2,12 +2,14 @@
 # Author: K4YT3X
 # Contributor: IceCodeNew
 # Contributor: HorlogeSkynet
+# Contributor: shenzhui007
+# Contributor: HorlogeSkynet
 # Date Created: October 5, 2020
-# Last Updated: October 15, 2021
+# Last Updated: August 4, 2022
 
 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
-# (C) 2020-2021 K4YT3X
+# (C) 2020-2022 K4YT3X
 
 # Multiple sources have been consulted while writing this configuration
 #  file (e.g., nixCraft's sysctl.conf). Sources are not cited since this
@@ -69,6 +71,9 @@ kernel.perf_event_paranoid = 3
 kernel.perf_cpu_time_max_percent = 1
 kernel.perf_event_max_sample_rate = 1
 
+# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
+dev.tty.ldisc_autoload = 0
+
 ########## File System ##########
 
 # disallow core dumping by SUID/SGID programs
@@ -114,6 +119,10 @@ vm.mmap_min_addr = 65536
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16
 
+# prevent unprivileged users from accessing userfaultfd
+# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
+vm.unprivileged_userfaultfd = 0
+
 ########## Networking ##########
 
 # increase the maximum length of processor input queues
@@ -288,10 +297,3 @@ net.ipv6.conf.all.accept_source_route = 0
 #net.ipv6.icmp.echo_ignore_all = 1
 #net.ipv6.icmp.echo_ignore_anycast = 1
 #net.ipv6.icmp.echo_ignore_multicast = 1
-
-
-# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
-dev.tty.ldisc_autoload = 0
-
-# disable syscall to the CAP_SYS_PTRACE capability
-vm.unprivileged_userfaultfd = 0