mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-23 05:01:31 -05:00
Add details on kernel panics
This commit is contained in:
parent
56b28e3826
commit
e4909b5e28
@ -44,7 +44,7 @@ space, user space, core dumps, and swap space.
|
||||
|
||||
- Force the kernel to panic on "oopses" that can potentially indicate and thwart
|
||||
certain kernel exploitation attempts. Optional - Force immediate reboot on the
|
||||
occurrence of a kernel panic.
|
||||
occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2).
|
||||
|
||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
|
||||
|
@ -114,9 +114,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
|
||||
## Force the kernel to panic on "oopses".
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Also cause panics on machine check exceptions.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=partial
|
||||
|
@ -132,20 +132,28 @@ kernel.unprivileged_userns_clone=0
|
||||
##
|
||||
kernel.perf_event_paranoid=3
|
||||
|
||||
## Force the kernel to panic on "oopses".
|
||||
## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Also cause panics on machine check exceptions.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
##
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
## https://en.wikipedia.org/wiki/Kdump_(Linux)
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
||||
## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#kernel.panic_on_oops=1
|
||||
## TODO: Debian 13 Trixie
|
||||
## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#kernel.panic=-1
|
||||
kernel.panic_on_oops=1
|
||||
#kernel.panic_on_warn=1
|
||||
#kernel.oops_limit=1
|
||||
#kernel.warn_limit=1
|
||||
|
||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
|
@ -15,5 +15,8 @@ fi
|
||||
## Makes the kernel panic on oopses. This prevents the kernel
|
||||
## from continuing to run a flawed processes. Many kernel exploits
|
||||
## will also cause an oops which this will make the kernel kill.
|
||||
sysctl kernel.panic_on_oops=1
|
||||
#sysctl kernel.panic=-1
|
||||
sysctl kernel.panic_on_oops=1
|
||||
#sysctl kernel.panic_on_warn=1
|
||||
#sysctl kernel.oops_limit=1
|
||||
#sysctl kernel.warn_limit=1
|
||||
|
Loading…
Reference in New Issue
Block a user