From 45d20dd972e6501237d35d1605c81d4e3fde43b1 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 02:35:15 +0000 Subject: [PATCH] Upgrade sysctls and docs on kernel panics --- README.md | 11 +++++------ usr/lib/sysctl.d/990-security-misc.conf | 25 +++++++++++++++---------- usr/libexec/security-misc/panic-on-oops | 19 +++++++++++-------- 3 files changed, 31 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index ac12886..b124a7a 100644 --- a/README.md +++ b/README.md @@ -44,11 +44,10 @@ configuration file and significant hardening is applied to a myriad of component - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - (when using Linux kernel >= 6.2) limit the number of allowed panics to one. +- Optional - Force immediate reboot on the occurrence of a single kernel panic. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. @@ -280,6 +279,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) +**Non-compliance:** + 2. `sysctl kernel.panic=-1` Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected @@ -288,8 +289,6 @@ system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) -**Non-compliance:** - 3. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index eaa671e..139e2e6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -164,14 +164,14 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. +## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## Forcing immediate system reboots on any single kernel panic is an extreme option. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -180,20 +180,25 @@ kernel.perf_event_paranoid=3 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=partial -## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP=yes +## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -## TODO: Debian 13 Trixie -## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## #kernel.panic=-1 -#kernel.panic_on_oops=1 -#kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 +## Force immediate system reboots on the occurrence of a single kernel panic. +## This is an extreme safety option which also creates a large opening for targeted denial of service attacks. +## +## KSPP=no +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#kernel.panic=-1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 749eb3c..3c45a68 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses and warnings. This prevents the -## kernel from continuing to run a flawed processes. Many kernel -## exploits will also cause an oops, these settings will make the -## kernel kill the offending processes. +## Makes the kernel immediately panic on both oopses and warnings. +## This prevents the kernel from continuing to run a potentially +## flawed processes. Many kernel exploits will also cause an oops, +## these settings will make the kernel kill the offending processes. +sysctl kernel.oops_limit=1 +sysctl kernel.warn_limit=1 + +## Makes the system immediately reboot on the occur occurrence of +## a single kernel panic. This is an extreme safety option which also +## creates a large opening for targeted denial of service attacks. #sysctl kernel.panic=-1 -sysctl kernel.panic_on_oops=1 -sysctl kernel.panic_on_warn=1 -#sysctl kernel.oops_limit=1 -#sysctl kernel.warn_limit=1 +