Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2024-09-04 10:07:50 -04:00
commit d618f9f35b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -43,9 +43,10 @@ Kernel space:
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
- Force the kernel to panic on "oopses" that can potentially indicate and thwart
certain kernel exploitation attempts. Optional - Force immediate reboot on the
occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2).
- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
Optional - Force immediate reboot on the occurrence of a single kernel panic and also
(when using Linux kernel >= 6.2) limit the number of allowed panics to one.
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

2
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -121,7 +121,7 @@ kernel.sysrq=0
## Restricting may lead to breakages in numerous software packages.
## Uncomment the second sysctl to entirely disable user namespaces.
## Disabling entirely will reduce compatibility with some AppArmor profiles.
## Disabling entirely is known to break the UPower systemd servince.
## Disabling entirely is known to break the UPower systemd service.
##
## https://lwn.net/Articles/673597/
## https://madaidans-insecurities.github.io/linux.html#kernel

10
usr/libexec/security-misc/panic-on-oops
View File

@ -12,12 +12,12 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
source /usr/libexec/helper-scripts/pre.bsh
fi
## Makes the kernel panic on oopses. This prevents the kernel
## from continuing to run a flawed processes. Many kernel exploits
## will also cause an oops which this will make the kernel kill
## the offending processes.
## Makes the kernel panic on oopses and warnings. This prevents the
## kernel from continuing to run a flawed processes. Many kernel
## exploits will also cause an oops, these settings will make the
## kernel kill the offending processes.
#sysctl kernel.panic=-1
sysctl kernel.panic_on_oops=1
#sysctl kernel.panic_on_warn=1
sysctl kernel.panic_on_warn=1
#sysctl kernel.oops_limit=1
#sysctl kernel.warn_limit=1