From e4909b5e28e16f09de0e548c9221578ebe1190a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:47:04 +1000 Subject: [PATCH] Add details on kernel panics --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 18 +++++++++++++----- usr/libexec/security-misc/panic-on-oops | 5 ++++- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1ec228f..ecbf3ef 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ space, user space, core dumps, and swap space. - Force the kernel to panic on "oopses" that can potentially indicate and thwart certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic. + occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index aaf5be8..c8a7eab 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -114,9 +114,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Force the kernel to panic on "oopses". ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f13f193..e305fa6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -132,20 +132,28 @@ kernel.unprivileged_userns_clone=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses". +## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#kernel.panic_on_oops=1 +## TODO: Debian 13 Trixie +## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## #kernel.panic=-1 +kernel.panic_on_oops=1 +#kernel.panic_on_warn=1 +#kernel.oops_limit=1 +#kernel.warn_limit=1 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 2fc25c8..8d647f1 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -15,5 +15,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits ## will also cause an oops which this will make the kernel kill. -sysctl kernel.panic_on_oops=1 #sysctl kernel.panic=-1 +sysctl kernel.panic_on_oops=1 +#sysctl kernel.panic_on_warn=1 +#sysctl kernel.oops_limit=1 +#sysctl kernel.warn_limit=1