diff --git a/README.md b/README.md index 93403b9..c1f1144 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,10 @@ Kernel space: - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). +- Force the kernel to panic on both "oopses", which can potentially indicate and thwart + certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. + Optional - Force immediate reboot on the occurrence of a single kernel panic and also + (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index caeb950..73c22d0 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,12 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses. This prevents the kernel -## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill -## the offending processes. +## Makes the kernel panic on oopses and warnings. This prevents the +## kernel from continuing to run a flawed processes. Many kernel +## exploits will also cause an oops, these settings will make the +## kernel kill the offending processes. #sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 -#sysctl kernel.panic_on_warn=1 +sysctl kernel.panic_on_warn=1 #sysctl kernel.oops_limit=1 #sysctl kernel.warn_limit=1