2024-07-11 12:42:37 -04:00
|
|
|
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
|
|
## See the following links for a community discussion and overview regarding the selections.
|
|
|
|
|
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
|
|
|
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
|
|
|
|
|
|
|
|
|
|
## Blacklisting prevents kernel modules from automatically starting.
|
|
|
|
|
## Disabling prohibits kernel modules from starting.
|
|
|
|
|
|
|
|
|
|
## CD-ROM/DVD:
|
|
|
|
|
## Blacklist CD-ROM and DVD modules.
|
|
|
|
|
## Do not disable by default for potential future ISO plans.
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
|
|
|
|
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
blacklist cdrom
|
|
|
|
|
blacklist sr_mod
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
|
|
|
|
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
|
|
|
|
|
|
|
|
|
## Conntrack:
|
|
|
|
|
## Disable automatic conntrack helper assignment.
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
## https://phabricator.whonix.org/T486
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
options nf_conntrack nf_conntrack_helper=0
|
|
|
|
|
|
|
|
|
|
## Framebuffer Drivers:
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
blacklist aty128fb
|
|
|
|
|
blacklist atyfb
|
|
|
|
|
blacklist cirrusfb
|
|
|
|
|
blacklist cyber2000fb
|
|
|
|
|
blacklist cyblafb
|
|
|
|
|
blacklist gx1fb
|
|
|
|
|
blacklist hgafb
|
|
|
|
|
blacklist i810fb
|
|
|
|
|
blacklist intelfb
|
|
|
|
|
blacklist kyrofb
|
|
|
|
|
blacklist lxfb
|
|
|
|
|
blacklist matroxfb_bases
|
|
|
|
|
blacklist neofb
|
|
|
|
|
blacklist nvidiafb
|
|
|
|
|
blacklist pm2fb
|
|
|
|
|
blacklist radeonfb
|
|
|
|
|
blacklist rivafb
|
|
|
|
|
blacklist s1d13xxxfb
|
|
|
|
|
blacklist savagefb
|
|
|
|
|
blacklist sisfb
|
|
|
|
|
blacklist sstfb
|
|
|
|
|
blacklist tdfxfb
|
|
|
|
|
blacklist tridentfb
|
|
|
|
|
blacklist vesafb
|
|
|
|
|
blacklist vfb
|
|
|
|
|
blacklist viafb
|
|
|
|
|
blacklist vt8623fb
|
|
|
|
|
blacklist udlfb
|
|
|
|
|
|
|
|
|
|
## Miscellaneous:
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
|
|
|
|
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
2024-07-13 09:29:52 -04:00
|
|
|
##
|
2024-07-11 12:42:37 -04:00
|
|
|
blacklist ath_pci
|
|
|
|
|
blacklist amd76x_edac
|
|
|
|
|
blacklist asus_acpi
|
|
|
|
|
blacklist bcm43xx
|
|
|
|
|
blacklist eepro100
|
|
|
|
|
blacklist eth1394
|
|
|
|
|
blacklist evbug
|
|
|
|
|
blacklist de4x5
|
|
|
|
|
blacklist garmin_gps
|
|
|
|
|
blacklist pcspkr
|
|
|
|
|
blacklist prism54
|
|
|
|
|
blacklist snd_aw2
|
|
|
|
|
blacklist snd_intel8x0m
|
|
|
|
|
blacklist snd_pcsp
|
|
|
|
|
blacklist usbkbd
|
|
|
|
|
blacklist usbmouse
|
