Add details on kernel panics

README.md

@@ -44,7 +44,7 @@ space, user space, core dumps, and swap space.
 
 - Force the kernel to panic on "oopses" that can potentially indicate and thwart
   certain kernel exploitation attempts. Optional - Force immediate reboot on the
-  occurrence of a kernel panic.
+  occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2).
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 

etc/default/grub.d/40_kernel_hardening.cfg

@@ -114,9 +114,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
 ## Force the kernel to panic on "oopses".
 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
-## Also cause panics on machine check exceptions.
 ## Panics may be due to false-positives such as bad drivers.
 ##
+## https://en.wikipedia.org/wiki/Kernel_panic#Linux
+## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
 ## KSPP=partial

usr/lib/sysctl.d/990-security-misc.conf

@@ -132,20 +132,28 @@ kernel.unprivileged_userns_clone=0
 ##
 kernel.perf_event_paranoid=3
 
-## Force the kernel to panic on "oopses".
+## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
-## Also cause panics on machine check exceptions.
 ## Panics may be due to false-positives such as bad drivers.
 ##
-## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
+## https://en.wikipedia.org/wiki/Kernel_panic#Linux
+## https://en.wikipedia.org/wiki/Linux_kernel_oops
+## https://en.wikipedia.org/wiki/Kdump_(Linux)
+## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
 ##
 ## KSPP=partial
-## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
-#kernel.panic_on_oops=1
+## TODO: Debian 13 Trixie
+## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
+##
 #kernel.panic=-1
+kernel.panic_on_oops=1
+#kernel.panic_on_warn=1
+#kernel.oops_limit=1
+#kernel.warn_limit=1
 
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.

usr/libexec/security-misc/panic-on-oops

@@ -15,5 +15,8 @@ fi
 ## Makes the kernel panic on oopses. This prevents the kernel
 ## from continuing to run a flawed processes. Many kernel exploits
 ## will also cause an oops which this will make the kernel kill.
-sysctl kernel.panic_on_oops=1
 #sysctl kernel.panic=-1
+sysctl kernel.panic_on_oops=1
+#sysctl kernel.panic_on_warn=1
+#sysctl kernel.oops_limit=1
+#sysctl kernel.warn_limit=1