From b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 04:51:01 +0000 Subject: [PATCH] Make panic related settings consistent Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. --- README.md | 7 +++-- ..._kernel_hardening.cfg#security-misc-shared | 26 ++++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0acc17b..9d069d5 100644 --- a/README.md +++ b/README.md @@ -219,8 +219,11 @@ Kernel space: - Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. + +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Optional - Modify the machine check exception handler. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index db65fea..f67c6c3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,22 +126,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to immediately panic on "oopses". +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" + +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" ## Modify machine check exception handler. ## Can decide whether the system should panic or not based on the occurrence of an exception.