mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-26 07:56:25 -05:00
Merge remote-tracking branch 'raja/panic_limits' into arraybolt3/trixie
This commit is contained in:
Aaron Rainbolt
commit
b5a36e02f1
4 changed files with 36 additions and 35 deletions
20
README.md
20
README.md
|
|
@ -44,11 +44,11 @@ configuration file and significant hardening is applied to a myriad of component
|
||||||
|
|
||||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||||
|
|
||||||
- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
|
- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
|
||||||
certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
|
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
|
||||||
|
|
||||||
- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
|
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
|
||||||
(when using Linux kernel >= 6.2) limit the number of allowed panics to one.
|
risk and impact of both denial of service and cold boot attacks.
|
||||||
|
|
||||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||||
|
|
||||||
|
|
@ -278,23 +278,15 @@ Completely disables `ptrace()`. Can be enabled easily if needed.
|
||||||
|
|
||||||
* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
|
* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
|
||||||
|
|
||||||
2. `sysctl kernel.panic=-1`
|
|
||||||
|
|
||||||
Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
|
|
||||||
system crashes.
|
|
||||||
|
|
||||||
* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
|
|
||||||
* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
|
|
||||||
|
|
||||||
**Non-compliance:**
|
**Non-compliance:**
|
||||||
|
|
||||||
3. `sysctl user.max_user_namespaces=0`
|
2. `sysctl user.max_user_namespaces=0`
|
||||||
|
|
||||||
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
|
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
|
||||||
|
|
||||||
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
|
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
|
||||||
|
|
||||||
4. `sysctl fs.binfmt_misc.status=0`
|
3. `sysctl fs.binfmt_misc.status=0`
|
||||||
|
|
||||||
Disables the registration of interpreters for miscellaneous binary formats. Currently not
|
Disables the registration of interpreters for miscellaneous binary formats. Currently not
|
||||||
feasible due to compatibility issues with Firefox.
|
feasible due to compatibility issues with Firefox.
|
||||||
|
|
|
||||||
|
|
@ -164,14 +164,14 @@ kernel.sysrq=0
|
||||||
##
|
##
|
||||||
kernel.perf_event_paranoid=3
|
kernel.perf_event_paranoid=3
|
||||||
|
|
||||||
## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
|
## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
|
||||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
|
||||||
## Panics may be due to false-positives such as bad drivers.
|
## Panics may be due to false-positives such as bad drivers.
|
||||||
|
## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
|
||||||
## Oopses are serious but non-fatal errors.
|
## Oopses are serious but non-fatal errors.
|
||||||
|
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
|
||||||
## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
|
## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
|
||||||
## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
|
## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
|
||||||
## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
|
## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
|
||||||
## Forcing immediate system reboots on any single kernel panic is an extreme option.
|
|
||||||
##
|
##
|
||||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||||
|
|
@ -180,20 +180,26 @@ kernel.perf_event_paranoid=3
|
||||||
## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
|
## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
|
||||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
||||||
##
|
##
|
||||||
## KSPP=partial
|
## KSPP=yes
|
||||||
## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y
|
||||||
##
|
##
|
||||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||||
##
|
##
|
||||||
## TODO: Debian 13 Trixie
|
|
||||||
## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
|
||||||
##
|
|
||||||
#kernel.panic=-1
|
|
||||||
#kernel.panic_on_oops=1
|
|
||||||
#kernel.panic_on_warn=1
|
|
||||||
#kernel.oops_limit=1
|
#kernel.oops_limit=1
|
||||||
#kernel.warn_limit=1
|
#kernel.warn_limit=1
|
||||||
|
|
||||||
|
## Force immediate system reboots on the occurrence of a single kernel panic.
|
||||||
|
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
|
||||||
|
## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
|
||||||
|
## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
|
||||||
|
##
|
||||||
|
## KSPP=yes
|
||||||
|
## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
|
||||||
|
##
|
||||||
|
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||||
|
##
|
||||||
|
#kernel.panic=-1
|
||||||
|
|
||||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||||
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
## See the file COPYING for copying conditions.
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process.
|
Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process.
|
||||||
Documentation=https://github.com/Kicksecure/security-misc
|
Documentation=https://github.com/Kicksecure/security-misc
|
||||||
|
|
||||||
ConditionKernelCommandLine=!panic-on-oops=0
|
ConditionKernelCommandLine=!panic-on-oops=0
|
||||||
|
|
|
||||||
|
|
@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
|
||||||
source /usr/libexec/helper-scripts/pre.bsh
|
source /usr/libexec/helper-scripts/pre.bsh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## Makes the kernel panic on oopses and warnings. This prevents the
|
## Makes the kernel immediately panic on both oopses and warnings.
|
||||||
## kernel from continuing to run a flawed processes. Many kernel
|
## These settings force a full system crash rather than continuing
|
||||||
## exploits will also cause an oops, these settings will make the
|
## to run after an inconsistent state is triggered by a potentially
|
||||||
## kernel kill the offending processes.
|
## flawed processes. The reasons for the errors could be kernel
|
||||||
#sysctl kernel.panic=-1
|
## exploit attempts but may also simply be general software bugs.
|
||||||
sysctl kernel.panic_on_oops=1
|
sysctl kernel.oops_limit=1
|
||||||
sysctl kernel.panic_on_warn=1
|
sysctl kernel.warn_limit=1
|
||||||
#sysctl kernel.oops_limit=1
|
|
||||||
#sysctl kernel.warn_limit=1
|
## Makes the system immediately reboot on the occurrence of a single
|
||||||
|
## kernel panic. This reduces the risk and impact of both denial of
|
||||||
|
## service and cold boot attacks.
|
||||||
|
sysctl kernel.panic=-1
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue