Merge branch 'master' into master

2025-11-27 11:50:59 -05:00 · 2025-08-21 06:39:13 -04:00 · 2025-08-21 06:39:13 -04:00 · 3229dd8967
commit 3229dd8967
parent 8dcd3493f8 81d437fe3e
34 changed files with 1860 additions and 207 deletions
--- a/README.md
+++ b/README.md
@ -44,16 +44,15 @@ configuration file and significant hardening is applied to a myriad of component
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
-  certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
+- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
-  (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
+  risk and impact of both denial of service and cold boot attacks.
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
+- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
  the source of numerous kernel exploits.
 #### User space
@ -221,12 +220,10 @@ Kernel space:
 - Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
+- Use kCFI as the default CFI implementation as it is more resilient to attacks that are
-  since it may be slightly more resilient to attacks that are able to write
+  able to write arbitrary executables into memory omitting the necessary hash validation.
  arbitrary executables in memory.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
+- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface.
  to reduce attack surface.
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
  and other persistent data to either the UEFI variable storage or ACPI ERST backends.
@ -280,23 +277,15 @@ Completely disables `ptrace()`. Can be enabled easily if needed.
 * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
 2. `sysctl kernel.panic=-1`
 Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
 system crashes.
 * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
 * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
 **Non-compliance:**
-3. `sysctl user.max_user_namespaces=0`
+2. `sysctl user.max_user_namespaces=0`
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
-4. `sysctl fs.binfmt_misc.status=0`
+3. `sysctl fs.binfmt_misc.status=0`
 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.
@ -712,6 +701,19 @@ See:
 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
 * https://forums.whonix.org/t/cannot-use-pkexec/8129
 ## Emergency shutdown
 - Forcibly powers off the system if the drive the system booted from is
  removed from the system.
 - Forcibly powers off the system if a user-configurable "panic key sequence"
  is pressed (Ctrl+Alt+Delete by default).
 - Forcibly powers off the system if
  `sudo /run/emerg-shutdown --instant-shutdown` is called.
 - Optional - Forcibly powers off the system if shutdown gets stuck for longer
  than a user-configurable number of seconds (30 by default). Requires tuning
  by the user to function properly, see notes in
  `/etc/security-misc/emerg-shutdown/30_security_misc.conf`.
 ## Application-specific hardening
 - Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
@ -723,20 +725,14 @@ See:
 - Deactivates thumbnails in Thunar.
  - Rationale: lower attack surface when using the file manager
  - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904
 - Thunderbird is hardened with the following options:
  - Displays domain names in punycode to prevent IDN homograph attacks (a
    form of phishing).
  - Strips email client information from sent email headers.
  - Strips user time information from sent email headers by replacing the
    originating time zone with UTC and rounding the timestamp to the nearest
    minute.
  - Disables scripting when viewing PDF files.
  - Disables implicit outgoing connections.
  - Disables all and any kind of telemetry.
 - Security and privacy enhancements for gnupg's config file
  `/etc/skel/.gnupg/gpg.conf`. See also:
  - https://raw.github.com/ioerror/torbirdy/master/gpg.conf
  - https://github.com/ioerror/torbirdy/pull/11
 - Hardens SSH client
  `/etc/ssh/ssh_config.d/30_security-misc.conf`
 - Hardens SSH server
  `/etc/ssh/sshd_config.d/30_security-misc.conf`
 ### Project scope of application-specific hardening
--- a/README_generic.md
+++ b/README_generic.md
@ -28,7 +28,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
 3\. Add the derivative repository.
 ```
-echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
+echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
 ```
 4\. Update your package lists.
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,167 @@
 commit 3629f2c3a59d44e265f0c66389435de1b2414998
 Merge: 5dc251c c59a3b2
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 10 02:25:48 2025 -0400
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
 commit c59a3b233bd8893d466c020a2e2695ab545c6e60
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sat Aug 9 21:55:03 2025 -0500
    Fix unexpected shutdowns when booting Kicksecure from optical media
 commit 5dc251c5da724092d264481740e4f6ed347aa0a7
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Aug 9 09:45:35 2025 +0000
    bumped changelog version
 commit 046c932898290d250a7900e3c59973a698e5c55f
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Aug 9 05:40:11 2025 -0400
    `disable emerg-shutdown.service`:
    Disabled due to bug: breaks ISO Live Mode Calamares installer
 commit 0cc0a8310020afc10de6512095336e55559a84d9
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Aug 7 07:08:19 2025 +0000
    bumped changelog version
 commit 505a2b7d7995ad48a17add86513ced3499f64ee9
 Merge: 4294165 3a77abe
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Aug 7 03:08:02 2025 -0400
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
 commit 3a77abe5c9807caec530e69c41d5cf803b625e70
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Wed Aug 6 20:05:57 2025 -0500
    Port hardening options from kloak to emerg-shutdown, fix new compiler warnings
 commit 0c1af00aae50dba2983c3736744e0da320bb9330
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Wed Aug 6 19:33:38 2025 -0500
    Implement paranoid mode in emerg-shutdown
 commit 29480df770047c8ada3e993cf28f87ffbfd71dec
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Wed Aug 6 19:24:34 2025 -0500
    Improve emerg-shutdown usage documentation
 commit 2a3bc39eba317d5f9b0e710dd3663c82d92add94
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Wed Aug 6 19:10:37 2025 -0500
    Use Ctrl+Alt+End as the default panic key rather than Ctrl+Alt+Delete
 commit 44e7d3059a5618991a1408f77707132bfea86fef
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Wed Aug 6 19:10:14 2025 -0500
    Integrate emerg-shutdown into the initramfs
 commit 42941653621311187650f12e8d7aa39c45cb6984
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Aug 6 08:27:15 2025 +0000
    bumped changelog version
 commit 784ff8af3616765a9c22febf66b522376ecedf12
 Merge: c2690ef 5a17e67
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Aug 6 04:26:37 2025 -0400
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
 commit 5a17e67c0a7678300f6342d5c90ded5494ebc838
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Tue Aug 5 20:14:07 2025 -0500
    Fix local-fs.target dependency in emerg-shutdown.service
 commit c2690efcacbf7be7c57751ba1cee7f910d350cfc
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Mon Aug 4 09:27:11 2025 +0000
    bumped changelog version
 commit 166bc257b0b2eea87d684cc847bf6da1fba7c4b4
 Merge: d1bca02 63f2909
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Mon Aug 4 05:26:55 2025 -0400
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
 commit 63f29093416a5f21ae14b398cf805c864b5541d7
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sun Aug 3 15:00:14 2025 -0500
    Fix emerg-shutdown and ensure-shutdown libexec scripts, start emerg-shutdown and ensure-shutdown earlier
 commit d1bca0204fa1dac9ec3fb6e9b121af9526778181
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 3 11:33:03 2025 +0000
    bumped changelog version
 commit 92bcd824e4af8a90a18a7726d4a5715c0b20e2ca
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 3 07:17:25 2025 -0400
    also parse /usr/local/etc
 commit 4da810c8fa4fd40b8701e7dfe217125d965ee03e
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 3 07:16:00 2025 -0400
    comment
 commit b9416fa77a1e8850c5f579314875671799a55c60
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 3 07:15:41 2025 -0400
    validate configuration file
 commit 4ba029471e8c12d5691f7ee94897137fb3cbe15f
 Merge: c1e76aa 1a60da7
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 3 07:04:20 2025 -0400
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown'
 commit 1a60da71eddfcc6fb72a34596c770cd754146887
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Tue Jul 29 21:16:51 2025 -0500
    emerg-shutdown: Add shutdown timeout for preventing stuck shutdowns, briefly document feature set and usage
 commit e42078e90d7d7e5339a7c4682eb93c844fd38580
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Mon Jul 28 20:42:14 2025 -0500
    emerg-shutdown: fix the hang-on-shutdown bug, add autodetection of new keyboards, shutdown key configuration, and instant shutdown option
 commit a1d1c5603300106f06c1a798088521b77430ff95
 Merge: 5889d13 c1e76aa
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sun Jul 27 21:43:43 2025 -0500
    Merge branch 'master' into arraybolt3/emerg-shutdown
 commit c1e76aa52cd28f38c1ab6550e0f4de0010a9ea14
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Mon Jul 21 10:00:25 2025 +0000
    bumped changelog version
 commit 36114e29a2ce1045b5f5d82372fcf0463efc5ca7
 Merge: e3ce9c3 f851886
 Author: Patrick Schleizer <adrelanos@whonix.org>
@ -14,12 +178,43 @@ Date:   Mon Jul 21 05:58:44 2025 -0400
    Enable `indirect_target_selection=force`
 commit 5889d134a23b3d4f8db5d81171ea12907bb10d4d
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sun Jul 20 14:14:09 2025 -0500
    emerg-shutdow: Improve recvmsg handling, call reboot syscall directly
 commit 6f9763f525097b8f8ad5f9864c1694a2642e1bd6
 Author: raja-grewal <rg_public@proton.me>
 Date:   Sat Jul 19 05:19:27 2025 +0000
    Enable `indirect_target_selection=force`
 commit b745c8ddae74d5e1684919442fa74d64e95263b8
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Mon Jul 14 21:51:52 2025 -0500
    emerg-shutdown: Enable actual shutdown code, fix infinite loop when started too early
 commit e387086de4b6e6b90b23d4c32ddf8a566beb858c
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Mon Jul 14 21:05:16 2025 -0500
    Allow specifying alternative keys in panic key combo, fix optical disk eject handling
 commit dfb6f143f0324d0903ae2dd106bc0fb6907c1cb0
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sun Jul 13 20:53:29 2025 -0500
    Add panic key handling to emergency shutdown utility
 commit 2a7071055f94f984398fe2ec49c32b206913bea2
 Merge: f3d46ee e3ce9c3
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Sun Jul 13 15:21:34 2025 -0500
    Merge branch 'master' into arraybolt3/emerg-shutdown
 commit e3ce9c38c5b241f789945de7229c0ee15fa0a266
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Jul 2 20:52:17 2025 +0000
@ -473,6 +668,12 @@ Date:   Thu May 15 15:06:10 2025 -0400
    * Only rudimentary tests were conducted
 commit f3d46ee56233c4ef0552c20304413d137e90acfe
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Fri May 9 18:46:41 2025 -0500
    Add emergency shutdown feature, triggered by root device removal
 commit 341dce33fb806ab03822470e6af91604662c22dd
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Apr 25 09:54:23 2025 +0000
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,39 @@
 security-misc (3:47.0-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 10 Aug 2025 06:34:30 +0000
 security-misc (3:46.9-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 09 Aug 2025 09:45:34 +0000
 security-misc (3:46.8-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 07 Aug 2025 07:08:19 +0000
 security-misc (3:46.7-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 06 Aug 2025 08:27:15 +0000
 security-misc (3:46.6-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Mon, 04 Aug 2025 09:27:11 +0000
 security-misc (3:46.5-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 03 Aug 2025 11:33:03 +0000
 security-misc (3:46.4-1) unstable; urgency=medium
  * New upstream version (local package).
--- a/debian/control
+++ b/debian/control
@ -13,13 +13,14 @@ Build-Depends: config-package-dev,
 Homepage: https://www.kicksecure.com/wiki/Security-misc
 Vcs-Browser: https://github.com/Kicksecure/security-misc
 Vcs-Git: https://github.com/Kicksecure/security-misc.git
-Standards-Version: 4.6.2
+Standards-Version: 4.7.2
 Rules-Requires-Root: no
 Package: security-misc
 Architecture: all
 Depends: adduser,
         apparmor-profile-dist,
         build-essential,
         dmsetup,
         helper-scripts,
         libcap2-bin,
@ -27,6 +28,7 @@ Depends: adduser,
         libpam-modules-bin,
         libpam-runtime,
         libpam-umask,
         memlockd,
         python3,
         secure-delete,
         sudo,
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -186,15 +186,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## The default implementation is FineIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
-## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
 ## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
 ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
 ## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
 ## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
 ## Do not modify from the default setting if unsure of implications.
 ##
-## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lwn.net/Articles/891976/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
 ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
 ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
 ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
 ## https://docs.kernel.org/next/x86/shstk.html
@ -205,12 +204,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP sets the kernel parameter.
 ##
-## TODO: Debian 13 Trixie
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
-## Disable support for x86 processes and syscalls.
+## Disable support for all 32-bit x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@ -218,10 +214,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
 ##
-## TODO: Debian 13 Trixie
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 ## Disable EFI persistent storage feature.
 ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
--- a/etc/default/grub.d/41_recovery_restrict.cfg
+++ b/etc/default/grub.d/41_recovery_restrict.cfg
@ -7,14 +7,17 @@
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
 ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
-## Disable access to single-user (recovery) mode.
+## Disable access to the GRUB single-user (recovery) mode menu entries.
 ##
 ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
 ##
 GRUB_DISABLE_RECOVERY="true"
 ## Disable access to Dracut's recovery console.
 ## Prevents the emergency shell from starting automatically during boot failures.
 ##
 ## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
 ## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
 ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
 ##
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -27,7 +27,7 @@ blacklist sr_mod
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
 ##
-## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
+## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
 ##
 #blacklist cfg80211
 #blacklist intel_agp
--- a/etc/security-misc/emerg-shutdown/30_security_misc.conf
+++ b/etc/security-misc/emerg-shutdown/30_security_misc.conf
@ -0,0 +1,34 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## Please use "/etc/security-misc/emerg-shutdown/50_user.conf" or
 ## "/usr/local/etc/security-misc/emerg-shutdown/50_user.conf"
 ## for your custom configuration, which will override the defaults found here.
 ## When Kicksecure is updated, this file may be overwritten.
 ## Set the key combo for forcing immediate shutdown. See the "Keys and
 ## buttons" section of "/usr/include/linux/input-event-codes.h" for possibly
 ## supported values. Not all keys are supported.
 ##
 ## All specified keys must be depressed at the same time to trigger a
 ## shutdown. Use a comma (",") to separate keys. If you want to alias certain
 ## keys to each other from emerg-shutdown's standpoint, use a pipe
 ## character("|").
 ##
 ## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is
 ## pressed, allowing the use of either the left or right Ctrl and Alt keys.
 EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END"
 ## Set the maximum number of seconds shutdown can take. If shutdown gets stuck
 ## for longer than this, the system will forcibly power down.
 ##
 ## NOTE: This requires ensure-shutdown.service and
 ## ensure-shutdown-trigger.service to be enabled, which is not done by
 ## default. Enabling ensure-shutdown.service will cause shutdown to always
 ## take at least as long as systemd's DefaultTimeoutStopSec (which by default
 ## is 90 seconds). If you are going to enable ensure-shutdown.service, it is
 ## highly recommended to set DefaultTimeoutStopSec to a much smaller value,
 ## such as 5 seconds. The maximum shutdown time set here should be at least 10
 ## seconds *longer* than DefaultTimeoutStopSec, to give normal shutdown a
 ## chance to actually succeed before forcibly shutting down the system.
 ENSURE_SHUTDOWN_TIMEOUT=30
--- a/etc/security/limits.d/30_security-misc.conf
+++ b/etc/security/limits.d/30_security-misc.conf
@ -2,4 +2,6 @@
 ## See the file COPYING for copying conditions.
 ## Disable coredumps.
 ## `-` in the second field sets both hard and soft limits at the same time.
 ## See `man 5 limits.conf`.
 * - core 0
--- a/etc/ssh/ssh_config.d/30_security-misc.conf
+++ b/etc/ssh/ssh_config.d/30_security-misc.conf
@ -0,0 +1,22 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## Don't edit this file, to overwrite any options, edit a file with a higher
 ## number that is read later by SSH, such as
 ## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not
 ## need to be system-wide, you may also consider placing overrides in
 ## ~/.ssh/config.
 ## See also:
 ## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File
 Host *
  VisualHostKey yes
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
  MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
  KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
  ## To force the use of quantum-resistant key exchange algorithms, override
  ## the above with
  # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
  HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
  PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
--- a/etc/ssh/sshd_config.d/30_security-misc.conf
+++ b/etc/ssh/sshd_config.d/30_security-misc.conf
@ -0,0 +1,78 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## Don't edit this file, to overwrite any options, edit a file with a higher
 ## number that is read later by SSHD, such as
 ## '/etc/ssh/sshd_config.d/50_user.conf'.
 ## See also:
 ## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
 ## Number of allowed login attempts per connection.
 MaxAuthTries 3
 ## Require strong ciphers and algorithms.
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKeyAlgorithms ssh-ed25519
 PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
 MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
 ## To force the use of quantum-resistant key exchange algorithms, override the
 ## above with
 # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
 ## Override with 'no' to fully deny root login, or leave this as
 ## 'prohibit-password' for denying root password login but still allowing
 ## other authentication methods such as public key.
 PermitRootLogin prohibit-password
 ## Public key authentication is transparent, non-interactive and more secure.
 PasswordAuthentication no
 ## Change to 'yes' to enable challenge-response passwords (beware issues with
 ## some PAM modules and threads)
 KbdInteractiveAuthentication no
 ## PAM can be used for account and session processing when using
 ## ChallengeResponseAuthentication or PasswordAuthentication.
 ##
 ## Depending on your PAM configuration, PAM authentication via
 ## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin
 ## without-password".
 ##
 ## If you want PAM account and session checks to run without PAM
 ## authentication, then enable this but set PasswordAuthentication and
 ## ChallengeResponseAuthentication to 'no'.
 ##
 ## The default upstream is 'no', Debian sets this to 'yes'. If using a locked
 ## account, read:
 ##   https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
 ## We set it to 'yes' to work with libpam-tmpdir.
 ##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
 ## Also folders such as '/run/user/1000' will exist thanks to PAM.
 ## The absence of that folder can lead to issues (such as with msgcollector).
 UsePAM yes
 ## Block dangerous forwarding.
 AllowAgentForwarding no
 AllowTcpForwarding no
 X11Forwarding no
 ## Hide unnecessary login banners.
 PrintMotd no
 #Banner /etc/issue.net
 #Hiding Debian version from SSH banner (obscurity)
 DebianBanner no
 ## Some options are dangerous but may be required in certain circumstances. As
 ## an example, if forwarding is required, selectively allow it with a 'Match'
 ## block. Consider a new separate user named 'tunnel' which wants to forward
 ## its local port to be available on the server on port 443. Note that a
 ## tunnel user doesn't even require a TTY nor a shell, so don't forget to
 ## change the 'tunnel' shell to something that prevents login such as
 ## '/usr/sbin/nologin'.
 #Match User tunnel
 #  AllowTcpForwarding yes
 #  PermitListen localhost:443
 #  PermitTTY no
--- a/etc/thunderbird/pref/40_security-misc.js
+++ b/etc/thunderbird/pref/40_security-misc.js
@ -1,59 +0,0 @@
 //#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 //#### See the file COPYING for copying conditions.
 //#### meta start
 //#### project Whonix and Kicksecure
 //#### category security and apps
 //#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
 //#### meta end
 // https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
 pref("network.IDN_show_punycode", true);
 // Disable all and any kind of telemetry by default
 pref("toolkit.telemetry.enabled", false);
 pref("toolkit.telemetry.unified", false);
 pref("toolkit.telemetry.shutdownPingSender.enabled", false);
 pref("toolkit.telemetry.updatePing.enabled", false);
 pref("toolkit.telemetry.archive.enabled", false);
 pref("toolkit.telemetry.bhrPing.enabled", false);
 pref("toolkit.telemetry.firstShutdownPing.enabled", false);
 pref("toolkit.telemetry.newProfilePing.enabled", false);
 pref("toolkit.telemetry.server", ""); // Defense in depth
 pref("toolkit.telemetry.server_owner", ""); // Defense in depth
 pref("datareporting.healthreport.uploadEnabled", false);
 pref("datareporting.policy.dataSubmissionEnabled", false);
 pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox
 pref("toolkit.coverage.opt-out", true); // from Firefox
 // Disable implicit outbound traffic
 pref("network.connectivity-service.enabled", false);
 pref("network.prefetch-next", false);
 pref("network.dns.disablePrefetch", true);
 pref("network.predictor.enabled", false);
 // No need to explain the problems with javascript
 // If you want javascript, use your browser
 // Thunderbird needs no javascript
 // pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now.
 // Disable scripting when viewing pdf files
 user_pref("pdfjs.enableScripting", false);
 // If you want cookies, use your browser
 pref("network.cookie.cookieBehavior", 2);
 // Do not send user agent information
 // For email clients, this is more like a relic of the past
 // Completely not necessary and just exposes a lot of information about the client
 // Since v115.0 Thunderbird already minimizes the user agent
 // But we want it gone for good for no information leak at all
 // https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7
 pref("mailnews.headers.sendUserAgent", false);
 // Normally we send emails after marking them with a time stamp
 // That includes our local time zone
 // This option makes our local time zone appear as UTC
 // And rounds the time stamp to the closes minute
 // https://hg.mozilla.org/comm-central/rev/98aa0bf2e719
 pref("mail.sanitize_date_header", true);
--- a/etc/usbguard/rules.d/30_security-misc.conf
+++ b/etc/usbguard/rules.d/30_security-misc.conf
@ -0,0 +1,55 @@
 ## We allow devices that were plugged in before the daemon starts. Everything
 ## is blocked as the default. Following rules apply on top of this.
 ## Explicitly reject any interface that is not documented and/or defined by
 ## USB.org.
 ## Note: Most probably superfluous.
 reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* }
 ## Allow all mouses and keyboards, in a sense, so the user can conveniently
 ## change them without restrating the daemon.
 ## Allow only one keyboard to be connected
 allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })
 ## Allow only one mouse to be connected
 allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 })
 ## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID
 ## devices that do not support a "boot interface". **These are blocked
 ## entirely.** It is very likely that this will cause issues with some mice
 ## and keyboards. Also note, all HID devices other than mice and keyboards
 ## will be blocked, **including touchscreens.**
 ## Explicitly reject any device with a mouse/keyboard interface in
 ## combination with some other interface.
 ## Mice and keyboards should likely never have non-HID interfaces provided
 ## alongside them.
 reject with-interface all-of { 03:*:* 00:*:* }
 reject with-interface all-of { 03:*:* 01:*:* }
 reject with-interface all-of { 03:*:* 02:*:* }
 reject with-interface all-of { 03:*:* 05:*:* }
 reject with-interface all-of { 03:*:* 06:*:* }
 reject with-interface all-of { 03:*:* 07:*:* }
 reject with-interface all-of { 03:*:* 08:*:* }
 reject with-interface all-of { 03:*:* 09:*:* }
 reject with-interface all-of { 03:*:* 0a:*:* }
 reject with-interface all-of { 03:*:* 0b:*:* }
 reject with-interface all-of { 03:*:* 0d:*:* }
 reject with-interface all-of { 03:*:* 0e:*:* }
 reject with-interface all-of { 03:*:* 0f:*:* }
 reject with-interface all-of { 03:*:* 10:*:* }
 reject with-interface all-of { 03:*:* 11:*:* }
 reject with-interface all-of { 03:*:* 12:*:* }
 reject with-interface all-of { 03:*:* 13:*:* }
 reject with-interface all-of { 03:*:* 14:*:* }
 reject with-interface all-of { 03:*:* 3c:*:* }
 reject with-interface all-of { 03:*:* dc:*:* }
 reject with-interface all-of { 03:*:* e0:*:* }
 reject with-interface all-of { 03:*:* ef:*:* }
 reject with-interface all-of { 03:*:* fe:*:* }
 reject with-interface all-of { 03:*:* ff:*:* }
 ## Allow USB mass storage, if and only if the USB device only has the mass
 ## storage interface and nothing extra.
 ## Suspicious interface combinations with mass storage are blocked.
 allow with-interface equals { 08:*:* }
--- a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
+++ b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
@ -0,0 +1,48 @@
 #!/bin/bash
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## called by dracut
 check() {
  require_binaries /run/emerg-shutdown || return 1
  return 255
 }
 ## called by dracut
 depends() {
  echo 'systemd bash'
  return 0
 }
 ## called by dracut
 install() {
  local config_file
  inst systemd-notify
  inst_simple /usr/libexec/security-misc/emerg-shutdown
  inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service
  inst_simple /run/emerg-shutdown /emerg-shutdown
  for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
    if [ -f "${config_file}" ]; then
      inst_multiple /etc/security-misc/emerg-shutdown/*.conf
      break
    fi
  done
  for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
    if [ -f "${config_file}" ]; then
      inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf
      break
    fi
  done
  mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants"
  ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service"
 }
 ## called by dracut
 installkernel () {
  hostonly='' instmods evdev
 }
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@ -6,14 +6,14 @@
 ## configuration. When security-misc is updated, this file may be overwritten.
 ## Used for SSH client key management
-## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
+## https://manpages.debian.org/ssh-agent
 ## Debian installs ssh-agent with setgid permissions (2755) and with
 ## _ssh as the group to help mitigate ptrace attacks that could extract
 ## private keys from the agent's memory.
 ssh-agent matchwhitelist
 ## Used only for SSH host-based authentication
-## https://linux.die.net/man/8/ssh-keysign
+## https://manpages.debian.org/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -164,14 +164,14 @@ kernel.sysrq=0
 ##
 kernel.perf_event_paranoid=3
-## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
+## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
 ## Panics may be due to false-positives such as bad drivers.
 ## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
 ## Oopses are serious but non-fatal errors.
 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
 ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
 ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
 ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
 ## Forcing immediate system reboots on any single kernel panic is an extreme option.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
@ -180,36 +180,40 @@ kernel.perf_event_paranoid=3
 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
+## KSPP=yes
-## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 ## TODO: Debian 13 Trixie
 ## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
 ##
 #kernel.panic=-1
 #kernel.panic_on_oops=1
 #kernel.panic_on_warn=1
 #kernel.oops_limit=1
 #kernel.warn_limit=1
 ## Force immediate system reboots on the occurrence of a single kernel panic.
 ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
 ## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
 ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
 ## KSPP=yes
 ## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #kernel.panic=-1
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
 ## Note this was already disabled by default as of Linux kernel 6.2.
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
 ## KSPP=yes
 ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
 ##
 ## TODO: Debian 13 Trixie
 ## This is disabled by default when using Linux kernel >= 6.2.
 ##
 dev.tty.legacy_tiocsti=0
 ## Disable asynchronous I/O for all processes.
-## Leading cause of numerous kernel exploits.
+## Use of io_uring has been the leading cause of numerous kernel exploits.
 ## Disabling will reduce the read/write performance of storage devices.
 ##
 ## https://en.wikipedia.org/wiki/Io_uring#Security
@ -218,9 +222,6 @@ dev.tty.legacy_tiocsti=0
 ## https://github.com/moby/moby/pull/46762
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
 ##
 ## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
 ##
 kernel.io_uring_disabled=2
 ## 2. User Space:
--- a/usr/lib/systemd/system-preset/50-security-misc.preset
+++ b/usr/lib/systemd/system-preset/50-security-misc.preset
@ -17,3 +17,12 @@ disable proc-hidepid.service
 ## Disable due to issues. See:
 ## https://github.com/Kicksecure/security-misc/issues/159
 disable harden-module-loading.service
 ## TODO: polish, test
 ## Disable due to timing difficulties. See:
 ## https://github.com/systemd/systemd/issues/38261#issuecomment-3134580852
 disable ensure-shutdown.service
 disable ensure-shutdown-trigger.service
 ## TODO: Disabled due to bug: breaks ISO Live Mode Calamares installer
 disable emerg-shutdown.service
--- a/usr/lib/systemd/system/block-shutdown.service
+++ b/usr/lib/systemd/system/block-shutdown.service
@ -0,0 +1,29 @@
 ## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## This unit, if uncommented and started, will prevent the system from ever
 ## shutting down unless ensure-shutdown.service is enabled and correctly
 ## configured. If you have enabled ensure-shutdown.service and tuned the
 ## ENSURE_SHUTDOWN_TIMEOUT and DefaultTimeoutStopSec variables (in
 ## /etc/security-misc/emerg-shutdown/30_security_misc.conf and
 ## /etc/systemd/system.conf respectively) and want to make sure
 ## ensure-shutdown.service actually works, you can uncomment this unit and
 ## start it with `sudo systemctl start block-shutdown.service`. If the systems
 ## successfully powers down even with this unit started,
 ## ensure-shutdown.service is working.
 # [Unit]
 # Description=Blocks shutdown indefinitely unless ensure-shutdown.service is enabled
 #
 # [Service]
 # Type=exec
 # ExecStart=bash -c -- "trap '' SIGTERM; sleep infinity"
 # KillSignal=SIGTERM
 # FinalKillSignal=SIGTERM
 # RestartKillSignal=SIGTERM
 # WatchdogSignal=SIGTERM
 # SendSIGHUP=no
 # TimeoutStopSec=infinity
 #
 # [Install]
 # WantedBy=multi-user.target
--- a/usr/lib/systemd/system/emerg-shutdown.service
+++ b/usr/lib/systemd/system/emerg-shutdown.service
@ -0,0 +1,20 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 [Unit]
 Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
 Requires=systemd-udevd.service
 After=systemd-udevd.service
 Requires=local-fs.target
 After=local-fs.target
 [Service]
 Type=notify
 ExecStart=/usr/libexec/security-misc/emerg-shutdown
 NotifyAccess=main
 [Install]
 WantedBy=sysinit.target
--- a/usr/lib/systemd/system/ensure-shutdown-trigger.service
+++ b/usr/lib/systemd/system/ensure-shutdown-trigger.service
@ -0,0 +1,18 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## NOTE: If enabling this unit, also enable ensure-shutdown.service, otherwise
 ## this will do nothing.
 [Unit]
 Description=Forcibly shut down the system if normal shutdown gets stuck (alternate trigger unit)
 Documentation=https://github.com/Kicksecure/security-misc
 [Service]
 Type=oneshot
 RemainAfterExit=true
 ExecStart=true
 ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger'
 [Install]
 WantedBy=multi-user.target
--- a/usr/lib/systemd/system/ensure-shutdown.service
+++ b/usr/lib/systemd/system/ensure-shutdown.service
@ -0,0 +1,25 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## NOTE: If enabling this unit, also enable ensure-shutdown-trigger.service,
 ## otherwise this will likely be unable to unstick a stuck shutdown.
 [Unit]
 Description=Forcibly shut down the system if normal shutdown gets stuck
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
 Requires=systemd-udevd.service
 After=systemd-udevd.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
 ExecStart=/usr/libexec/security-misc/ensure-shutdown
 ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger'
 KillMode=process
 [Install]
 WantedBy=sysinit.target
--- a/usr/lib/systemd/system/panic-on-oops.service
+++ b/usr/lib/systemd/system/panic-on-oops.service
@ -2,7 +2,7 @@
 ## See the file COPYING for copying conditions.
 [Unit]
-Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process.
+Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process.
 Documentation=https://github.com/Kicksecure/security-misc
 ConditionKernelCommandLine=!panic-on-oops=0
--- a/usr/lib/udev/rules.d/95-emerg-shutdown.rules
+++ b/usr/lib/udev/rules.d/95-emerg-shutdown.rules
@ -0,0 +1,9 @@
 SUBSYSTEM!="input", GOTO="end"
 # new keyboard or mouse attached or removed, restart emerg-shutdown
 KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart emerg-shutdown.service"
 KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end"
 KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart emerg-shutdown.service"
 KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end"
 LABEL="end"
--- a/usr/libexec/security-misc/apt-get-update
+++ b/usr/libexec/security-misc/apt-get-update
@ -1,46 +0,0 @@
 #!/bin/bash
 ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## TODO: Move this to helper-scripts.
 set -o errexit
 set -o nounset
 set -o errtrace
 set -o pipefail
 command -v start-stop-daemon >/dev/null
 command -v timeout >/dev/null
 command -v apt-get >/dev/null
 export LC_ALL=C
 pidfile="/run/helper-scripts/security-misc-apt-get-update-pid"
 sigterm_trap() {
   /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
   exit 143
 }
 ## terminate potential previous invocations.
 /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
 trap "sigterm_trap" SIGTERM SIGINT
 [[ -v timeout_after ]] || timeout_after="600"
 [[ -v kill_after ]] || kill_after="10"
 start-stop-daemon \
  --make-pidfile \
  --pidfile "$pidfile" \
  --exec /usr/bin/timeout \
  --start \
  -- \
    --kill-after="$kill_after" \
    "$timeout_after" \
      apt-get update --error-on=any "$@" &
 lastpid="$!"
 wait "$lastpid"
 exit "$?"
--- a/usr/libexec/security-misc/apt-get-update-sanity-test
+++ b/usr/libexec/security-misc/apt-get-update-sanity-test
@ -1,21 +0,0 @@
 #!/bin/bash
 ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 set -x
 set -e
 set -o pipefail
 if ! printf '%s\n' "" | wc -l >/dev/null ; then
  printf '%s\n' "\
 $0: ERROR: command 'wc' test failed! Do not ignore this!
 'wc' can core dump. Example:
 zsh: illegal hardware instruction (core dumped) wc -l
 https://github.com/rspamd/rspamd/issues/5137" >&2
  exit 1
 fi
 wc -L "/var/lib/apt/lists/"*InRelease
 wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
--- a/usr/libexec/security-misc/askpass
+++ b/usr/libexec/security-misc/askpass
@ -7,4 +7,4 @@ set -e
 title="$0: password required for $(whoami) to perform action as superuser"
-zenity --password --title="$title"
+yad --password --title="$title"
--- a/usr/libexec/security-misc/emerg-shutdown
+++ b/usr/libexec/security-misc/emerg-shutdown
@ -0,0 +1,79 @@
 #!/bin/bash
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 set -o errexit
 set -o nounset
 set -o errtrace
 set -o pipefail
 ## Make sure globs sort in a predictable, reproducible fashion
 export LC_ALL=C
 in_dracut='false'
 if [ -f '/dracut-state.sh' ]; then
  in_dracut='true'
 fi
 binary_prefix='/run'
 EMERG_SHUTDOWN_KEYS=''
 root_devices[0]=''
 ## Taken from kloak/Makefile, see it for more information
 gcc_hardening_options=(
  "-Wall" "-Wformat" "-Wformat=2" "-Wconversion"
  "-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit"
  "-Werror=int-conversion" "-Werror=incompatible-pointer-types"
  "-Wtrampolines" "-Wbidi-chars=any" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3"
  "-fstack-clash-protection" "-fstack-protector-strong"
  "-fno-delete-null-pointer-checks" "-fno-strict-overflow"
  "-fno-strict-aliasing" "-fsanitize=undefined" "-fcf-protection=full"
  "-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now"
  "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
 )
 ## Read emergency shutdown key configuration
 for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
  if [ -f "${config_file}" ]; then
    bash -n "${config_file}"
    source "${config_file}"
  fi
 done
 if [ "${in_dracut}" = 'true' ]; then
  binary_prefix=''
  modprobe evdev || {
    printf '%s\n' 'Failed to load evdev driver!'
    exit 1
  }
  ## modules may not work immediately after loaded, give them time to
  ## initialize
  sleep 0.1
 else
  ## Find the devices that make up the root device
  readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
  ## Build the actual emerg-shutdown executable
  if [ ! -f '/run/emerg-shutdown' ]; then
    gcc \
      -o \
      /run/emerg-shutdown \
      -static \
      "${gcc_hardening_options[@]}" \
      /usr/src/security-misc/emerg-shutdown.c \
      || {
        printf "%s\n" 'Could not compile force-shutdown executable!'
        exit 1
      }
  fi
  ## memlockd daemonizes itself, so no need to background it.
  memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
 fi
 systemd-notify --ready
 ## Launch emerg-shutdown
 OLDIFS="$IFS"
 IFS=','
 "${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
--- a/usr/libexec/security-misc/ensure-shutdown
+++ b/usr/libexec/security-misc/ensure-shutdown
@ -0,0 +1,31 @@
 #!/bin/bash
 # Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 # See the file COPYING for copying conditions.
 set -o errexit
 set -o nounset
 set -o errtrace
 set -o pipefail
 source /usr/libexec/helper-scripts/strings.bsh
 ## Make sure globs sort in a predictable, reproducible fashion
 export LC_ALL=C
 ## Read emergency shutdown key configuration
 for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
  if [ -f "${config_file}" ]; then
    bash -n "${config_file}"
    source "${config_file}"
  fi
 done
 if [ -z "${ENSURE_SHUTDOWN_TIMEOUT}" ] \
  || ! is_whole_number "${ENSURE_SHUTDOWN_TIMEOUT}"; then
  ENSURE_SHUTDOWN_TIMEOUT=30;
 fi
 /run/emerg-shutdown --monitor-fifo "--timeout=${ENSURE_SHUTDOWN_TIMEOUT}" &
 sleep 1
 disown
 exit 0
--- a/usr/libexec/security-misc/panic-on-oops
+++ b/usr/libexec/security-misc/panic-on-oops
@ -12,12 +12,19 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
   source /usr/libexec/helper-scripts/pre.bsh
 fi
-## Makes the kernel panic on oopses and warnings. This prevents the
+## Makes the kernel immediately panic on both oopses and warnings.
-## kernel from continuing to run a flawed processes. Many kernel
+## These settings force a full system crash rather than continuing
-## exploits will also cause an oops, these settings will make the
+## to run after an inconsistent state is triggered by a potentially
-## kernel kill the offending processes.
+## flawed processes. The reasons for the errors could be kernel
-#sysctl kernel.panic=-1
+## exploit attempts but may also simply be general software bugs.
-sysctl kernel.panic_on_oops=1
+##
-sysctl kernel.panic_on_warn=1
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
-#sysctl kernel.oops_limit=1
+sysctl kernel.oops_limit=1
-#sysctl kernel.warn_limit=1
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
 sysctl kernel.warn_limit=1
 ## Makes the system immediately reboot on the occurrence of a single
 ## kernel panic. This reduces the risk and impact of both denial of
 ## service and cold boot attacks.
 ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
 sysctl kernel.panic=-1
--- a/usr/share/lintian/overrides/security-misc
+++ b/usr/share/lintian/overrides/security-misc
@ -15,3 +15,6 @@ security-misc: uses-dpkg-database-directly [usr/bin/remount-secure]
 ## Special target to make sure this runs as non-parallelized as possible to avoid race conditions.
 security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service]
 ## False-positive. Unit is commented out by default.
 security-misc: systemd-service-file-missing-install-key [usr/lib/systemd/system/block-shutdown.service]
--- a/usr/share/security-misc/emerg-shutdown-initramfs.service
+++ b/usr/share/security-misc/emerg-shutdown-initramfs.service
@ -0,0 +1,21 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## This file should not be installed on the host system, it is intended for
 ## inclusion in a dracut initramfs only.
 [Unit]
 Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
 Requires=systemd-udevd.service
 After=systemd-udevd.service
 [Service]
 Type=notify
 ExecStart=/usr/libexec/security-misc/emerg-shutdown
 NotifyAccess=main
 [Install]
 WantedBy=sysinit.target
--- a/usr/share/security-misc/security-misc-memlockd.cfg
+++ b/usr/share/security-misc/security-misc-memlockd.cfg
@ -0,0 +1,2 @@
 # Lock systemd and all of its library dependencies into memory
 +/usr/bin/systemd
--- a/usr/src/security-misc/emerg-shutdown.c
+++ b/usr/src/security-misc/emerg-shutdown.c
`@ -7,4 +7,4 @@ set -e`

	`title="$0: password required for $(whoami) to perform action as superuser"`	`title="$0: password required for $(whoami) to perform action as superuser"`

	`zenity --password --title="$title"`	`yad --password --title="$title"`
		`@ -0,0 +1,2 @@`
							`# Lock systemd and all of its library dependencies into memory`
							`+/usr/bin/systemd`