mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-25 19:06:20 -05:00
Upgrade sysctls and docs on kernel panics
This commit is contained in:
raja-grewal
GitHub
parent
c2690efcac
commit
45d20dd972
3 changed files with 31 additions and 24 deletions
|
|
@ -164,14 +164,14 @@ kernel.sysrq=0
|
|||
##
|
||||
kernel.perf_event_paranoid=3
|
||||
|
||||
## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
|
||||
## Oopses are serious but non-fatal errors.
|
||||
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
|
||||
## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
|
||||
## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
|
||||
## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
|
||||
## Forcing immediate system reboots on any single kernel panic is an extreme option.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
|
|
@ -180,20 +180,25 @@ kernel.perf_event_paranoid=3
|
|||
## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#kernel.panic=-1
|
||||
#kernel.panic_on_oops=1
|
||||
#kernel.panic_on_warn=1
|
||||
#kernel.oops_limit=1
|
||||
#kernel.warn_limit=1
|
||||
|
||||
## Force immediate system reboots on the occurrence of a single kernel panic.
|
||||
## This is an extreme safety option which also creates a large opening for targeted denial of service attacks.
|
||||
##
|
||||
## KSPP=no
|
||||
## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#kernel.panic=-1
|
||||
|
||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue