Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 19:06:20 -05:00
Code Issues Projects Releases Packages Wiki Activity

Set sysctl kernel.panic=-1

Browse source
This commit is contained in:
raja-grewal 2025-08-17 06:27:44 +00:00 committed by GitHub
parent f1de0da69b
commit 247015bcc6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 11 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

15
README.md
View file

@ -47,7 +47,8 @@ configuration file and significant hardening is applied to a myriad of component
- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
- Optional - Force immediate reboot on the occurrence of a single kernel panic.
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of both denial of service and cold boot attacks.
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
@ -281,21 +282,13 @@ Completely disables `ptrace()`. Can be enabled easily if needed.
**Non-compliance:**
2. `sysctl kernel.panic=-1`
Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
system crashes.
* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
3. `sysctl user.max_user_namespaces=0`
2. `sysctl user.max_user_namespaces=0`
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
4. `sysctl fs.binfmt_misc.status=0`
3. `sysctl fs.binfmt_misc.status=0`
Disables the registration of interpreters for miscellaneous binary formats. Currently not
feasible due to compatibility issues with Firefox.

6
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -189,9 +189,11 @@ kernel.perf_event_paranoid=3
#kernel.warn_limit=1
## Force immediate system reboots on the occurrence of a single kernel panic.
## This is an extreme safety option which also creates a large opening for targeted denial of service attacks.
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
##
## KSPP=no
## KSPP=yes
## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
##
## See /usr/libexec/security-misc/panic-on-oops for implementation.

6
usr/libexec/security-misc/panic-on-oops
View file

@ -21,6 +21,6 @@ sysctl kernel.oops_limit=1
sysctl kernel.warn_limit=1
## Makes the system immediately reboot on the occurrence of a single
## kernel panic. This is an extreme safety option which also creates
## a large opening for targeted denial of service attacks.
#sysctl kernel.panic=-1
## kernel panic. This reduces the risk and impact of both denial of
## service and cold boot attacks.
sysctl kernel.panic=-1