Upgrade sysctls and docs on kernel panics

README.md

@@ -44,11 +44,10 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
-- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
-  certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 
-- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
-  (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
+- Optional - Force immediate reboot on the occurrence of a single kernel panic.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
@@ -280,6 +279,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed.
 
 * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
 
+**Non-compliance:**
+
 2. `sysctl kernel.panic=-1`
 
 Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
@@ -288,8 +289,6 @@ system crashes.
 * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
 * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
 
-**Non-compliance:**
-
 3. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.

usr/lib/sysctl.d/990-security-misc.conf

@@ -164,14 +164,14 @@ kernel.sysrq=0
 ##
 kernel.perf_event_paranoid=3
 
-## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
-## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
+## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
 ## Panics may be due to false-positives such as bad drivers.
+## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
 ## Oopses are serious but non-fatal errors.
+## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
 ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
 ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
 ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
-## Forcing immediate system reboots on any single kernel panic is an extreme option.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
@@ -180,20 +180,25 @@ kernel.perf_event_paranoid=3
 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
-## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP=yes
+## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
-## TODO: Debian 13 Trixie
-## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
-##
 #kernel.panic=-1
-#kernel.panic_on_oops=1
-#kernel.panic_on_warn=1
 #kernel.oops_limit=1
 #kernel.warn_limit=1
 
+## Force immediate system reboots on the occurrence of a single kernel panic.
+## This is an extreme safety option which also creates a large opening for targeted denial of service attacks.
+##
+## KSPP=no
+## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
+#kernel.panic=-1
+
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.

usr/libexec/security-misc/panic-on-oops

@@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
    source /usr/libexec/helper-scripts/pre.bsh
 fi
 
-## Makes the kernel panic on oopses and warnings. This prevents the
-## kernel from continuing to run a flawed processes. Many kernel
-## exploits will also cause an oops, these settings will make the
-## kernel kill the offending processes.
+## Makes the kernel immediately panic on both oopses and warnings.
+## This prevents the kernel from continuing to run a potentially
+## flawed processes. Many kernel exploits will also cause an oops,
+## these settings will make the kernel kill the offending processes.
+sysctl kernel.oops_limit=1
+sysctl kernel.warn_limit=1
+
+## Makes the system immediately reboot on the occur occurrence of
+## a single kernel panic. This is an extreme safety option which also
+## creates a large opening for targeted denial of service attacks.
 #sysctl kernel.panic=-1
-sysctl kernel.panic_on_oops=1
-sysctl kernel.panic_on_warn=1
-#sysctl kernel.oops_limit=1
-#sysctl kernel.warn_limit=1
+