Update docs on oops boot parameter

2025-11-27 11:50:59 -05:00 · 2025-08-19 11:01:06 +10:00 · 2025-08-19 11:01:06 +10:00 · c0ad577793
commit c0ad577793
parent 6df3e3cde8
1 changed files with 6 additions and 4 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -118,16 +118,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
-## Force the kernel to panic on "oopses".
+## Force the kernel to immediately panic on "oopses".
 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
 ## Panics may be due to false-positives such as bad drivers.
 ## Oopses are serious but non-fatal errors.
 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
 ## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
+## KSPP=yes
-## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##