Creating a partition that contains _ONLY_ setuid/setgid binaries
not only makes finding _ALL_ setuid/stegid programs trivial,
but also prevents hardlinks without the necessity of chatter.
Either chattr all setuid/setgid programs, or isolate on a separate
partiotion preventing xdev hardlinks are intrinsically sounder
approaches then pasting CVE's against RPM
Creating a partition that contains _ONLY_ setuid/setgid binaries
not only makes finding _ALL_ setuid/stegid programs trivial,
but also prevents hardlinks without the necessity of chatter.
Either chattr all setuid/setgid programs, or isolate on a separate
partiotion preventing xdev hardlinks are intrinsically sounder
approaches then pasting CVE's against RPM