Merge remote-tracking branch 'github-kicksecure/master'

README.md

@@ -48,7 +48,7 @@ configuration file and significant hardening is applied to a myriad of component
   and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
-  risk and impact of both denial of service and cold boot attacks.
+  risk and impact of denial of service attacks and both cold and warm boot attacks.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 

etc/default/grub.d/40_kernel_hardening.cfg

@@ -118,16 +118,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
-## Force the kernel to panic on "oopses".
+## Force the kernel to immediately panic on "oopses".
-## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
 ## Panics may be due to false-positives such as bad drivers.
+## Oopses are serious but non-fatal errors.
+## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
+## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
+## KSPP=yes
-## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##

etc/modprobe.d/30_security-misc_conntrack.conf

@@ -7,6 +7,7 @@
 ## Disabling it reduces the kernel attack surface and improves security.
 ##
 ## https://conntrack-tools.netfilter.org/manual.html
+## https://home.regit.org/netfilter-en/secure-use-of-helpers/
 ## https://forums.whonix.org/t/disable-conntrack-helper/18917
 ##
 options nf_conntrack nf_conntrack_helper=0

usr/lib/sysctl.d/990-security-misc.conf

@@ -175,7 +175,6 @@ kernel.perf_event_paranoid=3
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
-## https://en.wikipedia.org/wiki/Kdump_(Linux)
 ## https://lwn.net/Articles/876209/
 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
@@ -189,8 +188,8 @@ kernel.perf_event_paranoid=3
 #kernel.warn_limit=1
 
 ## Force immediate system reboots on the occurrence of a single kernel panic.
-## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
 ## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
 ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
 ## KSPP=yes

usr/libexec/security-misc/panic-on-oops

@@ -24,7 +24,7 @@ sysctl kernel.oops_limit=1
 sysctl kernel.warn_limit=1
 
 ## Makes the system immediately reboot on the occurrence of a single
-## kernel panic. This reduces the risk and impact of both denial of
+## kernel panic. This reduces the risk and impact of denial of
-## service and cold boot attacks.
+## service attacks and both cold and warmm boot attacks.
 ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
 sysctl kernel.panic=-1