New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increased kernel hardening at boot #111
Conversation
This reverts commit 57b5b21.
@@ -53,3 +53,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" | |||
## https://lkml.org/lkml/2020/7/16/122 | |||
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 | |||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" | |||
|
|||
## Force the kernel to panic on "oopses" (which may be due to false positives) | |||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this already implemented?
See:
/usr/libexec/security-misc/panic-on-oops
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True I am considering removing the existing implementation as I believe setting it the beginning of the boot process may be more secure?
This way we do not have to rely on the configuration files being read by a user space service.
https://github.com/torvalds/linux/blob/97e9c8eb4bb1dc57859acb1338dfddbd967d7484/Documentation/admin-guide/kernel-parameters.txt#L5681-L5688
https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there was a specific reason why it's done as currently implemented and not as kernel command line. That's a while ago since I last re-read this discussion:
https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
Could you have a look please?
Please refer to the existing discussion beginning at:
https://forums.whonix.org/t/kernel-hardening/7296/465
In summary: