From 9f7480e20adf148dcb7dbe80e704f3f79691b657 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 19 Oct 2025 01:41:58 +0000 Subject: [PATCH] Make terminology consistent --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +- .../sysctl.d/990-security-misc.conf#security-misc-shared | 6 +++--- .../security-misc/panic-on-oops#security-misc-shared | 5 +++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 537b72a..3459fc6 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,12 @@ configuration file and significant hardening is applied to a myriad of component and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial of service attacks and both cold and warm boot attacks. + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Force immediate kernel panic on OOM (out of memory) which the above setting will force an immediate system reboot, as opposed to placing any reliance on the oom_killer to avoid arbitrarily terminating security features based on their OOM score. Note this creates - the risk of userspace-based denial of service attacks that maliciously fill memory. + the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index c8209f5..21e2c06 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,7 +126,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Panics may be due to false-positives such as bad drivers. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index aeb3fe0..4e8625c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -171,7 +171,7 @@ kernel.perf_event_paranoid=3 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -188,7 +188,7 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## @@ -531,7 +531,7 @@ net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements (RAs) and solicitations. ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. -## Flooding the network with malicious RAs can lead to denial of service attacks. +## Flooding the network with malicious RAs can lead to denial-of-service attacks. ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. ## ## https://datatracker.ietf.org/doc/html/rfc6104 diff --git a/usr/libexec/security-misc/panic-on-oops#security-misc-shared b/usr/libexec/security-misc/panic-on-oops#security-misc-shared index 54731c9..5e32d02 100755 --- a/usr/libexec/security-misc/panic-on-oops#security-misc-shared +++ b/usr/libexec/security-misc/panic-on-oops#security-misc-shared @@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This reduces the risk and impact of denial of -## service attacks and both cold and warm boot attacks. +## kernel panic. This reduces the risk and impact of denial-of-service +## attacks and both cold and warm boot attacks. +## ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic sysctl kernel.panic=-1