mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-26 07:06:26 -05:00
Merge remote-tracking branch 'raja/panic_limits' into arraybolt3/trixie
This commit is contained in:
Aaron Rainbolt
commit
b5a36e02f1
4 changed files with 36 additions and 35 deletions
20
README.md
20
README.md
|
|
@ -44,11 +44,11 @@ configuration file and significant hardening is applied to a myriad of component
|
|||
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
|
||||
certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
|
||||
- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
|
||||
and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
|
||||
|
||||
- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
|
||||
(when using Linux kernel >= 6.2) limit the number of allowed panics to one.
|
||||
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
|
||||
risk and impact of both denial of service and cold boot attacks.
|
||||
|
||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
|
||||
|
|
@ -278,23 +278,15 @@ Completely disables `ptrace()`. Can be enabled easily if needed.
|
|||
|
||||
* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
|
||||
|
||||
2. `sysctl kernel.panic=-1`
|
||||
|
||||
Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
|
||||
system crashes.
|
||||
|
||||
* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
|
||||
* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
|
||||
|
||||
**Non-compliance:**
|
||||
|
||||
3. `sysctl user.max_user_namespaces=0`
|
||||
2. `sysctl user.max_user_namespaces=0`
|
||||
|
||||
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
|
||||
|
||||
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
|
||||
|
||||
4. `sysctl fs.binfmt_misc.status=0`
|
||||
3. `sysctl fs.binfmt_misc.status=0`
|
||||
|
||||
Disables the registration of interpreters for miscellaneous binary formats. Currently not
|
||||
feasible due to compatibility issues with Firefox.
|
||||
|
|
|
|||
|
|
@ -164,14 +164,14 @@ kernel.sysrq=0
|
|||
##
|
||||
kernel.perf_event_paranoid=3
|
||||
|
||||
## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
|
||||
## Oopses are serious but non-fatal errors.
|
||||
## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
|
||||
## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
|
||||
## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
|
||||
## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
|
||||
## Forcing immediate system reboots on any single kernel panic is an extreme option.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
|
|
@ -180,20 +180,26 @@ kernel.perf_event_paranoid=3
|
|||
## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#kernel.panic=-1
|
||||
#kernel.panic_on_oops=1
|
||||
#kernel.panic_on_warn=1
|
||||
#kernel.oops_limit=1
|
||||
#kernel.warn_limit=1
|
||||
|
||||
## Force immediate system reboots on the occurrence of a single kernel panic.
|
||||
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
|
||||
## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
|
||||
## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#kernel.panic=-1
|
||||
|
||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
## See the file COPYING for copying conditions.
|
||||
|
||||
[Unit]
|
||||
Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process.
|
||||
Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process.
|
||||
Documentation=https://github.com/Kicksecure/security-misc
|
||||
|
||||
ConditionKernelCommandLine=!panic-on-oops=0
|
||||
|
|
|
|||
|
|
@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
|
|||
source /usr/libexec/helper-scripts/pre.bsh
|
||||
fi
|
||||
|
||||
## Makes the kernel panic on oopses and warnings. This prevents the
|
||||
## kernel from continuing to run a flawed processes. Many kernel
|
||||
## exploits will also cause an oops, these settings will make the
|
||||
## kernel kill the offending processes.
|
||||
#sysctl kernel.panic=-1
|
||||
sysctl kernel.panic_on_oops=1
|
||||
sysctl kernel.panic_on_warn=1
|
||||
#sysctl kernel.oops_limit=1
|
||||
#sysctl kernel.warn_limit=1
|
||||
## Makes the kernel immediately panic on both oopses and warnings.
|
||||
## These settings force a full system crash rather than continuing
|
||||
## to run after an inconsistent state is triggered by a potentially
|
||||
## flawed processes. The reasons for the errors could be kernel
|
||||
## exploit attempts but may also simply be general software bugs.
|
||||
sysctl kernel.oops_limit=1
|
||||
sysctl kernel.warn_limit=1
|
||||
|
||||
## Makes the system immediately reboot on the occurrence of a single
|
||||
## kernel panic. This reduces the risk and impact of both denial of
|
||||
## service and cold boot attacks.
|
||||
sysctl kernel.panic=-1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue