diff --git a/README.md b/README.md
index b6a6c60..42fba56 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,9 @@ space, user space, core dumps, and swap space.
 
 - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
 
+- Provide the option to disable the use of legacy TIOCSTI operation which can be
+  used to inject keypresses.
+
 - Disable asynchronous I/O as `io_uring` has been the source
   of numerous kernel exploits (when using Linux kernel version >= 6.6).
 
@@ -141,6 +144,12 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
+- Provide the option to enable the kernel Electric-Fence sampling-based memory
+  safety error detector which can identify heap out-of-bounds access, use-after-free,
+  and invalid-free errors.
+
+- Provide the option to disable 32 bit vDSO mappings.
+
 - Provide the option to use kCFI as the default CFI implementation since it may be
   slightly more resilient to attacks that are able to write arbitrary executables
   in memory (when using Linux kernel version >= 6.2).
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 172c3c8..d34f0ca 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -18,6 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## 1. Kernel Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
+## https://kspp.github.io/Recommended_Settings#kernel-command-line-options
 
 ## Disable merging of slabs with similar size.
 ## Reduces the risk of triggering heap overflows.
@@ -112,6 +113,23 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
+## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
+## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
+## Aims to have very low processing overhead at each sampling interval
+## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
+##
+## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
+
+## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
+##
+## https://en.wikipedia.org/wiki/VDSO
+##
+## The use of 32 bit vDSO mappings is currently enabled.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
@@ -135,7 +153,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
-#cfi=kcfi
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 
 ## Disable support for x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
@@ -144,7 +162,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
 ##
-#ia32_emulation=0
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## 2. Direct Memory Access:
 ##
@@ -222,4 +240,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
 ##
 ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
 ##
-#ipv6.disable=1
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 40ab0ff..ef550e4 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -23,6 +23,7 @@
 ## 1. Kernel Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
+## https://kspp.github.io/Recommended_Settings#sysctls
 ## https://wiki.archlinux.org/title/Security#Kernel_hardening
 
 ## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges.
@@ -128,6 +129,13 @@ kernel.perf_event_paranoid=3
 ##
 kernel.randomize_va_space=2
 
+## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses.
+## Will break screen readers as can no longer push characters into a controlling TTY.
+##
+## This is disabled by default when using Linux kernel >= 6.2.
+##
+#dev.tty.legacy_tiocsti=0
+
 ## Disable asynchronous I/O for all processes.
 ## Leading cause of numerous kernel exploits.
 ## Disabling will reduce the read/write performance of storage devices.