Set sysctl kernel.panic=-1

README.md

@@ -47,7 +47,8 @@ configuration file and significant hardening is applied to a myriad of component
 - Force the kernel to immediately panic on both "oopses" (which can potentially indicate
   and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 
-- Optional - Force immediate reboot on the occurrence of a single kernel panic.
+- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
+  risk and impact of both denial of service and cold boot attacks.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
@@ -281,21 +282,13 @@ Completely disables `ptrace()`. Can be enabled easily if needed.
 
 **Non-compliance:**
 
-2. `sysctl kernel.panic=-1`
+2. `sysctl user.max_user_namespaces=0`
-
-Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
-system crashes.
-
-* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
-* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
-
-3. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
 
-4. `sysctl fs.binfmt_misc.status=0`
+3. `sysctl fs.binfmt_misc.status=0`
 
 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.

usr/lib/sysctl.d/990-security-misc.conf

@@ -189,9 +189,11 @@ kernel.perf_event_paranoid=3
 #kernel.warn_limit=1
 
 ## Force immediate system reboots on the occurrence of a single kernel panic.
-## This is an extreme safety option which also creates a large opening for targeted denial of service attacks.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
+## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
-## KSPP=no
+## KSPP=yes
 ## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.

usr/libexec/security-misc/panic-on-oops

@@ -21,6 +21,6 @@ sysctl kernel.oops_limit=1
 sysctl kernel.warn_limit=1
 
 ## Makes the system immediately reboot on the occurrence of a single
-## kernel panic. This is an extreme safety option which also creates
+## kernel panic. This reduces the risk and impact of both denial of
-## a large opening for targeted denial of service attacks.
+## service and cold boot attacks.
-#sysctl kernel.panic=-1
+sysctl kernel.panic=-1