diff --git a/etc/permission-hardening.conf b/etc/permission-hardening.conf
index ec69b5d..b78feae 100644
--- a/etc/permission-hardening.conf
+++ b/etc/permission-hardening.conf
@@ -1,10 +1,41 @@
+## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
 ## File permission hardening.
 ##
 ## Syntax:
 ## [filename] [mode] [owner] [group] [capability]
 ##
+## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
+## argument.
+##
 /home/ 0755 root root
 /home/user/ 0700 user user
 /root/ 0700 root root
 /boot/ 0700 root root
 /etc/permission-hardening.conf 0600 root root
+
+## Remove all SUID/SGID binaries/libraries.
+/bin/ nosuid
+/usr/bin/ nosuid
+/usr/local/bin/ nosuid
+/sbin/ nosuid
+/usr/sbin/ nosuid
+/usr/local/sbin/ nosuid
+/lib/ nosuid
+/lib32/ nosuid
+/lib64/ nosuid
+/usr/lib/ nosuid
+/usr/lib32/ nosuid
+/usr/lib64/ nosuid
+/usr/local/lib/ nosuid
+/usr/local/lib32/ nosuid
+/usr/local/lib64/ nosuid
+
+## SUID whitelist.
+/usr/bin/sudo 4755 root root
+/usr/bin/bwrap 4755 root root
+/usr/lib/policykit-1/polkit-agent-helper-1 4755 root root
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper 4754 root messagebus
+/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper 4755 root root
+/usr/lib/x86_64-linux-gnu/utempter/utempter 2755 root utmp