set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better security

Sure! Where should it be?

Yes. It’s easy to add a livecd to a VM.

That will require you to manually decrypt and mount it but I don’t have much experience with that.

How would the kernel parameter be implemented? A systemd service that greps /proc/cmdline?

What exactly do we look for though?

1 Like

Those are more pragmatic options IMO.

@Patrick Host hardening guide perhaps?

2 Likes

Recovery - Kicksecure for now (we could still move elsewhere later if needed).

A systemd service isn’t needed. https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/panic-on-oops (since running as root anyhow) could directly parse /proc/cmdline.

whonix-xfce-desktop-config /usr/share/livecheck/livecheck.sh is using:

if grep -qs "boot=live" /proc/cmdline; then

Which boot options should we look for?

  • should we invent one? nooops why not…
  • are there other boot options usually used for recovery when we should opt-in not setting kernel.panic_on_oops=1 such as recovery, single (these are from Ubuntu, do these work with Debian too?) Know any Debian boot options usually used for recovery?

The kernel oops message. By parsing dmesg line by line I would hope we can find a common pattern which is easy to parse.

[ 5660.841924] BUG: soft lockup - CPU#0 stuck for 61s! [egrep:10518]

Internal error: Oops:

We need to search for logs that mention oopses and then just grep/match/or so them.

1 Like

nooops doesn’t sound right. Something like no_panic_on_oops would be good.

Tails has a troubleshooting mode with some kernel parameters that are usually used in debugging.

We could create our own troubleshooting mode with some of those kernel parameters and disable the panic on oops.

1 Like

Btw grub boot menu allows adding boot parameters “on the fly” during grub boot menu.

See grub2 - How do I add a kernel boot parameter? - Ask Ubuntu

To temporarily add a boot parameter to a kernel:

It could even be both. Simple to match for it. no_panic_on_oops is kinda harder to type (as per above during grub boot menu stage).

Sounds good.

2 Likes

I’ve made a draft for the chrooting.

1 Like

What might also be cool (but also less secure, risking host compromise when VM is compromised) is mounting the disk image on the host.

Why is chrooting even required? For recovering files, just mount the disk and copy?

  • But how to copy the files out on VirtualBox without virtualbox guest additions installed?
  • But how to copy the files out on KVM without spice-vdagent? Or not required?

For changing config files, also no chroot required.

Chroot should only be required in limited cases such as uninstallation of a package.

Related (on mounting disk images):

File Transfer - Whonix (but disk image mounting must be radically simplified, shouldn’t depend on re-using Whonix source code, too difficult)

2 Likes

It can allow you to fix certain things without having to boot directly into the machine. e.g. if you’ve enabled kernel.panic_on_oops=1 and get kernel panics on boot, you can chroot to fix it.

1 Like

Not required. KVM does not depentd on “guest additions” to share files. Rather the shared folder 9p protocol is a module in the guest kernel that is compatible with a filesystem device added on the host.

For completion the guestfs tool is the main and safe(ish) way to mount qcow2

http://ask.xmodulo.com/mount-qcow2-disk-image-linux.html

I say safeish because while it does implement Apparmor protections to the processes that interact with the guest file system it is not as theoretically safe as shared folder used directly.

2 Likes

I’ve just noticed this in the kernel docs:

Always panic on oopses. Default is to just kill the process, but there is a small probability of deadlocking the machine.

linux-hardened also sets this option.

https://github.com/anthraxx/linux-hardened/blob/5.2/lib/Kconfig.debug#L998

1 Like

dmesg can filter out the logs based on priority. Running dmesg -l emerg gives you emergency logs. This will make it much easier to check for kernel oopses.

1 Like

Grsecurity has a smarter equivalent to this.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Active_kernel_exploit_response

1 Like

Sounds a ton smarter indeed.

1 Like