From 45fcd163d1422b43ec033166c889a237301ad83d Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 18 Aug 2025 20:23:50 +1000 Subject: [PATCH 1/4] Add reference on conntrack helpers --- etc/modprobe.d/30_security-misc_conntrack.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index 7f36327..7c51595 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -7,6 +7,7 @@ ## Disabling it reduces the kernel attack surface and improves security. ## ## https://conntrack-tools.netfilter.org/manual.html +## https://home.regit.org/netfilter-en/secure-use-of-helpers/ ## https://forums.whonix.org/t/disable-conntrack-helper/18917 ## options nf_conntrack nf_conntrack_helper=0 From c0ad57779342c138ade0d6ddff0898f75411157a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 19 Aug 2025 11:01:06 +1000 Subject: [PATCH 2/4] Update docs on oops boot parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..38f4ad3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -118,16 +118,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to panic on "oopses". -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Force the kernel to immediately panic on "oopses". ## Panics may be due to false-positives such as bad drivers. +## Oopses are serious but non-fatal errors. +## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. +## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From a4710693783b8817a6a5c9f17b4268b654c4c0c9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 19 Aug 2025 11:03:05 +1000 Subject: [PATCH 3/4] Remove link --- usr/lib/sysctl.d/990-security-misc.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3c43d8d..892911e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -175,7 +175,6 @@ kernel.perf_event_paranoid=3 ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://en.wikipedia.org/wiki/Kdump_(Linux) ## https://lwn.net/Articles/876209/ ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 From add054933b69e97e0f856d7cf04d88290d4b1b7c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 21 Aug 2025 00:24:28 +0000 Subject: [PATCH 4/4] Update docs on instant reboot when kernel panic --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- usr/libexec/security-misc/panic-on-oops | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 425bd0d..e13a3a1 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ configuration file and significant hardening is applied to a myriad of component and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of both denial of service and cold boot attacks. + risk and impact of denial of service attacks and both cold and warm boot attacks. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 892911e..b369896 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -188,8 +188,8 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks. ## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## ## KSPP=yes diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 83ceeac..84fd9cc 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -21,6 +21,6 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This reduces the risk and impact of both denial of -## service and cold boot attacks. +## kernel panic. This reduces the risk and impact of denial of +## service attacks and both cold and warmm boot attacks. sysctl kernel.panic=-1