Make panic related settings consistent

Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant.

README.md

@@ -219,8 +219,11 @@ Kernel space:
 - Restrict access to debugfs by not registering the file system since it can
   contain sensitive information.
 
-- Force kernel panics on "oopses" to potentially indicate and thwart certain
-  kernel exploitation attempts.
+- Force the kernel to immediately panic on both "oopses" (which can potentially indicate
+  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
+
+- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
+  risk and impact of denial-of-service attacks and both cold and warm boot attacks.
 
 - Optional - Modify the machine check exception handler.
 

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -126,22 +126,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
-## Force the kernel to immediately panic on "oopses".
+## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
 ## Panics may be due to false-positives such as bad drivers.
+## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
 ## Oopses are serious but non-fatal errors.
 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
-## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks.
+## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
+## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
+## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
-## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
+## https://lwn.net/Articles/876209/
+## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
+## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
 ##
 ## KSPP=yes
-## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets CONFIG_PANIC_ON_OOPS=y.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1"
+
+## Force immediate system reboots on the occurrence of a single kernel panic.
+## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
+## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
+##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
 
 ## Modify machine check exception handler.
 ## Can decide whether the system should panic or not based on the occurrence of an exception.