security-misc/etc/modprobe.d/30_security-misc.conf

## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## See the following links for a community discussion and overview regarding the selections.
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules

## Blacklisting prevents kernel modules from automatically starting.
## Disabling prohibits kernel modules from starting.

## CD-ROM/DVD:
## Blacklist CD-ROM and DVD modules.
## Do not disable by default for potential future ISO plans.
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
#
blacklist cdrom
blacklist sr_mod
#
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc

## Connection Tracking:
## Disable automatic conntrack helper assignment.
## https://phabricator.whonix.org/T486
#
options nf_conntrack nf_conntrack_helper=0

## Framebuffer Drivers:
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
#
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist i810fb
blacklist intelfb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_bases
blacklist neofb
blacklist nvidiafb
blacklist pm2fb
blacklist rivafb
blacklist s1d13xxxfb
blacklist savagefb
blacklist sisfb
blacklist sstfb
blacklist tdfxfb
blacklist tridentfb
blacklist vesafb
blacklist vfb
blacklist viafb
blacklist vt8623fb
blacklist udlfb

## Miscellaneous:
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
#
blacklist ath_pci
blacklist evbug
blacklist usbmouse
blacklist usbkbd
blacklist eepro100
blacklist de4x5
blacklist eth1394
blacklist snd_intel8x0m
blacklist snd_aw2
blacklist prism54
blacklist bcm43xx
blacklist garmin_gps
blacklist asus_acpi
blacklist snd_pcsp
blacklist pcspkr
blacklist amd76x_edac

## Bluetooth:
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
#
## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
#
#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
#install btusb /usr/bin/disabled-bluetooth-by-security-misc

## CPU Model-Specific Registers (MSRs):
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215
#
#install msr /usr/bin/disabled-msr-by-security-misc

## FireWire (IEEE 1394):
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
#
install firewire-core /usr/bin/disabled-firewire-by-security-misc
install firewire-net /usr/bin/disabled-firewire-by-security-misc
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
install ohci1394 /usr/bin/disabled-firewire-by-security-misc
install sbp2 /usr/bin/disabled-firewire-by-security-misc
install dv1394 /usr/bin/disabled-firewire-by-security-misc
install raw1394 /usr/bin/disabled-firewire-by-security-misc
install video1394 /usr/bin/disabled-firewire-by-security-misc

## File Systems:
## Disable uncommon file systems to reduce attack surface.
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
#
install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc

## Global Positioning Systems:
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
#
install gnss /usr/bin/disabled-gps-by-security-misc
install gnss-mtk /usr/bin/disabled-gps-by-security-misc
install gnss-serial /usr/bin/disabled-gps-by-security-misc
install gnss-sirf /usr/bin/disabled-gps-by-security-misc
install gnss-usb /usr/bin/disabled-gps-by-security-misc
install gnss-ubx /usr/bin/disabled-gps-by-security-misc

## Intel Management Engine (ME):
## Partially disable the Intel ME interface with the OS.
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
#
install mei /usr/bin/disabled-intelme-by-security-misc
install mei-me /usr/bin/disabled-intelme-by-security-misc

## Network File Systems:
## Disable uncommon network file systems to reduce attack surface.
#
install cifs /usr/bin/disabled-netfilesys-by-security-misc
install nfs /usr/bin/disabled-netfilesys-by-security-misc
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc

## Network Protocols:
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
## https://tails.boum.org/blueprint/blacklist_modules/
## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
#
install dccp /usr/bin/disabled-network-by-security-misc
install sctp /usr/bin/disabled-network-by-security-misc
install rds /usr/bin/disabled-network-by-security-misc
install tipc /usr/bin/disabled-network-by-security-misc
install n-hdlc /usr/bin/disabled-network-by-security-misc
install ax25 /usr/bin/disabled-network-by-security-misc
install netrom /usr/bin/disabled-network-by-security-misc
install x25 /usr/bin/disabled-network-by-security-misc
install rose /usr/bin/disabled-network-by-security-misc
install decnet /usr/bin/disabled-network-by-security-misc
install econet /usr/bin/disabled-network-by-security-misc
install af_802154 /usr/bin/disabled-network-by-security-misc
install ipx /usr/bin/disabled-network-by-security-misc
install appletalk /usr/bin/disabled-network-by-security-misc
install psnap /usr/bin/disabled-network-by-security-misc
install p8023 /usr/bin/disabled-network-by-security-misc
install p8022 /usr/bin/disabled-network-by-security-misc
install can /usr/bin/disabled-network-by-security-misc
install atm /usr/bin/disabled-network-by-security-misc

## Miscellaneous:
#
## Vivid:
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
#
install vivid /usr/bin/disabled-vivid-by-security-misc

## Thunderbolt:
## Disables Thunderbolt modules to prevent some DMA attacks.
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
#
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
Update Copyright (C) to 2024 2024-05-11 13:18:36 +10:00			`## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00			`## See the file COPYING for copying conditions.`

Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## See the following links for a community discussion and overview regarding the selections.`
Updated comments 2022-07-12 16:58:16 +10:00			`## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989`
			`## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules`
Updated descriptions of disabled modules 2022-07-08 03:04:37 +10:00
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## Blacklisting prevents kernel modules from automatically starting.`
			`## Disabling prohibits kernel modules from starting.`

			`## CD-ROM/DVD:`
			`## Blacklist CD-ROM and DVD modules.`
			`## Do not disable by default for potential future ISO plans.`
			`## https://nvd.nist.gov/vuln/detail/CVE-2018-11506`
			`## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31`
			`#`
			`blacklist cdrom`
			`blacklist sr_mod`
			`#`
			`#install cdrom /usr/bin/disabled-cdrom-by-security-misc`
			`#install sr_mod /usr/bin/disabled-cdrom-by-security-misc`

			`## Connection Tracking:`
			`## Disable automatic conntrack helper assignment.`
Updated comments 2022-07-12 16:58:16 +10:00			`## https://phabricator.whonix.org/T486`
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`#`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00			`options nf_conntrack nf_conntrack_helper=0`

Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## Framebuffer Drivers:`
			`## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco`
			`#`
			`blacklist aty128fb`
			`blacklist atyfb`
			`blacklist radeonfb`
			`blacklist cirrusfb`
			`blacklist cyber2000fb`
			`blacklist cyblafb`
			`blacklist gx1fb`
			`blacklist hgafb`
			`blacklist i810fb`
			`blacklist intelfb`
			`blacklist kyrofb`
			`blacklist lxfb`
			`blacklist matroxfb_bases`
			`blacklist neofb`
			`blacklist nvidiafb`
			`blacklist pm2fb`
			`blacklist rivafb`
			`blacklist s1d13xxxfb`
			`blacklist savagefb`
			`blacklist sisfb`
			`blacklist sstfb`
			`blacklist tdfxfb`
			`blacklist tridentfb`
			`blacklist vesafb`
			`blacklist vfb`
			`blacklist viafb`
			`blacklist vt8623fb`
			`blacklist udlfb`

			`## Miscellaneous:`
			`## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco`
			`## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco`
			`#`
			`blacklist ath_pci`
			`blacklist evbug`
			`blacklist usbmouse`
			`blacklist usbkbd`
			`blacklist eepro100`
			`blacklist de4x5`
			`blacklist eth1394`
			`blacklist snd_intel8x0m`
			`blacklist snd_aw2`
			`blacklist prism54`
			`blacklist bcm43xx`
			`blacklist garmin_gps`
			`blacklist asus_acpi`
			`blacklist snd_pcsp`
			`blacklist pcspkr`
			`blacklist amd76x_edac`

			`## Bluetooth:`
			`## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.`
Updated comments 2022-07-12 16:58:16 +10:00			`## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns`
30_security-misc.conf 2023-10-27 14:34:21 +00:00			`#`
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.`
30_security-misc.conf 2023-10-27 14:34:21 +00:00			`#`
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc`
			`#install btusb /usr/bin/disabled-bluetooth-by-security-misc`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## CPU Model-Specific Registers (MSRs):`
			`## Disable CPU MSRs as they can be abused to write to arbitrary memory.`
			`## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode`
			`## https://github.com/Kicksecure/security-misc/issues/215`
			`#`
			`#install msr /usr/bin/disabled-msr-by-security-misc`

			`## FireWire (IEEE 1394):`
			`## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.`
			`## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues`
			`#`
usrmerge fixes https://github.com/Kicksecure/security-misc/issues/190 2024-01-17 13:39:56 -05:00			`install firewire-core /usr/bin/disabled-firewire-by-security-misc`
Disable `firewire-net` module 2024-05-09 02:34:02 +00:00			`install firewire-net /usr/bin/disabled-firewire-by-security-misc`
usrmerge fixes https://github.com/Kicksecure/security-misc/issues/190 2024-01-17 13:39:56 -05:00			`install firewire-ohci /usr/bin/disabled-firewire-by-security-misc`
			`install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc`
			`install ohci1394 /usr/bin/disabled-firewire-by-security-misc`
			`install sbp2 /usr/bin/disabled-firewire-by-security-misc`
			`install dv1394 /usr/bin/disabled-firewire-by-security-misc`
			`install raw1394 /usr/bin/disabled-firewire-by-security-misc`
			`install video1394 /usr/bin/disabled-firewire-by-security-misc`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## File Systems:`
			`## Disable uncommon file systems to reduce attack surface.`
			`## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.`
			`#`
			`install cramfs /usr/bin/disabled-filesys-by-security-misc`
			`install freevxfs /usr/bin/disabled-filesys-by-security-misc`
			`install jffs2 /usr/bin/disabled-filesys-by-security-misc`
			`install hfs /usr/bin/disabled-filesys-by-security-misc`
			`install hfsplus /usr/bin/disabled-filesys-by-security-misc`
			`install udf /usr/bin/disabled-filesys-by-security-misc`

			`## Global Positioning Systems:`
			`## Disable GPS-related modules like GNSS (Global Navigation Satellite System).`
			`#`
			`install gnss /usr/bin/disabled-gps-by-security-misc`
			`install gnss-mtk /usr/bin/disabled-gps-by-security-misc`
			`install gnss-serial /usr/bin/disabled-gps-by-security-misc`
			`install gnss-sirf /usr/bin/disabled-gps-by-security-misc`
			`install gnss-usb /usr/bin/disabled-gps-by-security-misc`
			`install gnss-ubx /usr/bin/disabled-gps-by-security-misc`

			`## Intel Management Engine (ME):`
			`## Partially disable the Intel ME interface with the OS.`
			`## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html`
			`#`
			`install mei /usr/bin/disabled-intelme-by-security-misc`
			`install mei-me /usr/bin/disabled-intelme-by-security-misc`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## Network File Systems:`
			`## Disable uncommon network file systems to reduce attack surface.`
			`#`
			`install cifs /usr/bin/disabled-netfilesys-by-security-misc`
			`install nfs /usr/bin/disabled-netfilesys-by-security-misc`
			`install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc`
			`install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc`
			`install ksmbd /usr/bin/disabled-netfilesys-by-security-misc`
			`install gfs2 /usr/bin/disabled-netfilesys-by-security-misc`

			`## Network Protocols:`
			`## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.`
			`## https://tails.boum.org/blueprint/blacklist_modules/`
			`## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)`
			`## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco`
			`#`
usrmerge fixes https://github.com/Kicksecure/security-misc/issues/190 2024-01-17 13:39:56 -05:00			`install dccp /usr/bin/disabled-network-by-security-misc`
			`install sctp /usr/bin/disabled-network-by-security-misc`
			`install rds /usr/bin/disabled-network-by-security-misc`
			`install tipc /usr/bin/disabled-network-by-security-misc`
			`install n-hdlc /usr/bin/disabled-network-by-security-misc`
			`install ax25 /usr/bin/disabled-network-by-security-misc`
			`install netrom /usr/bin/disabled-network-by-security-misc`
			`install x25 /usr/bin/disabled-network-by-security-misc`
			`install rose /usr/bin/disabled-network-by-security-misc`
			`install decnet /usr/bin/disabled-network-by-security-misc`
			`install econet /usr/bin/disabled-network-by-security-misc`
			`install af_802154 /usr/bin/disabled-network-by-security-misc`
			`install ipx /usr/bin/disabled-network-by-security-misc`
			`install appletalk /usr/bin/disabled-network-by-security-misc`
			`install psnap /usr/bin/disabled-network-by-security-misc`
			`install p8023 /usr/bin/disabled-network-by-security-misc`
			`install p8022 /usr/bin/disabled-network-by-security-misc`
			`install can /usr/bin/disabled-network-by-security-misc`
			`install atm /usr/bin/disabled-network-by-security-misc`
Blacklist more modules 2020-09-19 20:46:19 +01:00
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## Miscellaneous:`
			`#`
			`## Vivid:`
			`## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.`
Updated comments 2022-07-12 16:58:16 +10:00			`## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233`
			`## https://www.openwall.com/lists/oss-security/2019/11/02/1`
			`## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475`
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`#`
usrmerge fixes https://github.com/Kicksecure/security-misc/issues/190 2024-01-17 13:39:56 -05:00			`install vivid /usr/bin/disabled-vivid-by-security-misc`
Blacklist more modules 2022-07-07 09:26:55 +00:00
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00			`## Thunderbolt:`
			`## Disables Thunderbolt modules to prevent some DMA attacks.`
			`## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities`
			`#`
			`install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc`