Upgrade sysctls and docs on kernel panics

2025-11-27 00:36:19 -05:00 · 2025-08-06 02:35:15 +00:00 · 2025-08-06 02:35:15 +00:00 · 45d20dd972
commit 45d20dd972
parent c2690efcac
3 changed files with 31 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -44,11 +44,10 @@ configuration file and significant hardening is applied to a myriad of component

 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
-  certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.

- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
-  (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
+- Optional - Force immediate reboot on the occurrence of a single kernel panic.

 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

@ -280,6 +279,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed.

 * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)

+**Non-compliance:**
+
 2. `sysctl kernel.panic=-1`

 Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
@ -288,8 +289,6 @@ system crashes.
 * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
 * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)

-**Non-compliance:**
-
 3. `sysctl user.max_user_namespaces=0`

 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.