Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-27 18:30:59 -05:00
Code Issues Projects Releases Packages Wiki Activity

Make terminology consistent

Browse source
This commit is contained in:
raja-grewal 2025-10-19 01:41:58 +00:00 committed by GitHub
parent f2c3eba4f0
commit 9f7480e20a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 9 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -50,12 +50,12 @@ configuration file and significant hardening is applied to a myriad of component
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial of service attacks and both cold and warm boot attacks. risk and impact of denial-of-service attacks and both cold and warm boot attacks.
- Force immediate kernel panic on OOM (out of memory) which the above setting will force - Force immediate kernel panic on OOM (out of memory) which the above setting will force
an immediate system reboot, as opposed to placing any reliance on the oom_killer to an immediate system reboot, as opposed to placing any reliance on the oom_killer to
avoid arbitrarily terminating security features based on their OOM score. Note this creates avoid arbitrarily terminating security features based on their OOM score. Note this creates
the risk of userspace-based denial of service attacks that maliciously fill memory. the risk of userspace-based denial-of-service attacks that maliciously fill memory.
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

2
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -126,7 +126,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## Panics may be due to false-positives such as bad drivers. ## Panics may be due to false-positives such as bad drivers.
## Oopses are serious but non-fatal errors. ## Oopses are serious but non-fatal errors.
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. ## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks.
## ##
## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://en.wikipedia.org/wiki/Linux_kernel_oops

6
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -171,7 +171,7 @@ kernel.perf_event_paranoid=3
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks.
## ##
## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://en.wikipedia.org/wiki/Linux_kernel_oops
@ -188,7 +188,7 @@ kernel.perf_event_paranoid=3
#kernel.warn_limit=1 #kernel.warn_limit=1
## Force immediate system reboots on the occurrence of a single kernel panic. ## Force immediate system reboots on the occurrence of a single kernel panic.
## Increases resilience and limits impact of denial of service attacks as system automatically restarts. ## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts.
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
## ##
@ -531,7 +531,7 @@ net.ipv6.conf.*.accept_source_route=0
## Do not accept IPv6 router advertisements (RAs) and solicitations. ## Do not accept IPv6 router advertisements (RAs) and solicitations.
## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
## Flooding the network with malicious RAs can lead to denial of service attacks. ## Flooding the network with malicious RAs can lead to denial-of-service attacks.
## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
## ##
## https://datatracker.ietf.org/doc/html/rfc6104 ## https://datatracker.ietf.org/doc/html/rfc6104

5
usr/libexec/security-misc/panic-on-oops#security-misc-shared
View file

@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1
sysctl kernel.warn_limit=1 sysctl kernel.warn_limit=1
## Makes the system immediately reboot on the occurrence of a single ## Makes the system immediately reboot on the occurrence of a single
## kernel panic. This reduces the risk and impact of denial of ## kernel panic. This reduces the risk and impact of denial-of-service
## service attacks and both cold and warm boot attacks. ## attacks and both cold and warm boot attacks.
##
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
sysctl kernel.panic=-1 sysctl kernel.panic=-1