diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
index 95906dd6..01f71cec 100644
--- a/roles/os_hardening/defaults/main.yml
+++ b/roles/os_hardening/defaults/main.yml
@@ -282,6 +282,14 @@ sysctl_config:
   vm.mmap_rnd_bits: 32
   vm.mmap_rnd_compat_bits: 16
 
+  # Disable unprivileged users from loading eBPF programs into the kernel.
+  # One of mitigations against CVE-2021-33909. | Tail-2
+  kernel.unprivileged_bpf_disabled: 1
+
+  # Reduce attack surface by disabling unprivileged user namespaces.
+  # Mitigates CVE-2021-33909 and other exploits.
+  kernel.unprivileged_userns_clone: 0
+
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite: