mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Refactor modprobe.d to minimise potential future merge conflicts
This commit is contained in:
Raja Grewal
parent
e962153f84
commit
18ed77ecc9
35
README.md
35
README.md
@ -223,17 +223,12 @@ modules from starting. This approach should not be considered comprehensive;
|
||||
rather, it is a form of badness enumeration. Any potential candidates for future
|
||||
disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
Hardware modules:
|
||||
|
||||
- Optional - Bluetooth: Disabled to reduce attack surface.
|
||||
|
||||
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
||||
Satellite Systems (GNSS).
|
||||
|
||||
@ -244,20 +239,38 @@ disabling should first be blacklisted for a suitable amount of time.
|
||||
- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
|
||||
of the Intel PMT components.
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
File system modules:
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||
|
||||
Networking modules:
|
||||
|
||||
- Network Protocols: A wide array of uncommon and legacy network protocols and drivers
|
||||
are disabled.
|
||||
|
||||
- Miscellaneous: Disable an assortment of other modules such as those required
|
||||
for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
|
||||
have been entirely replaced by newer drivers.
|
||||
Miscellaneous modules:
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
- Amateur Radios: Disabled to reduce attack surface.
|
||||
|
||||
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
|
||||
|
||||
- Floppy Disks: Disabled to reduce attack surface.
|
||||
|
||||
- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
- Replaced Modules: Disabled legacy drivers that have been entirely replaced and
|
||||
superseded by newer drivers.
|
||||
|
||||
- Optional - USB Video Device Class: Disables the USB-based video streaming driver for
|
||||
devices like some webcams and digital camcorders.
|
||||
|
||||
- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
|
||||
|
||||
### Other
|
||||
|
||||
- A systemd service clears the System.map file on boot as these contain kernel
|
||||
|
||||
@ -22,7 +22,7 @@ blacklist sr_mod
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
|
||||
## Miscellaneous:
|
||||
##
|
||||
|
||||
## GrapheneOS:
|
||||
## Partial selection of their infrastructure blacklist.
|
||||
## Duplicate and already disabled modules have been omitted.
|
||||
@ -39,7 +39,7 @@ blacklist snd_intel8x0
|
||||
#blacklist tls
|
||||
#blacklist virtio_balloon
|
||||
#blacklist virtio_console
|
||||
##
|
||||
|
||||
## Ubuntu:
|
||||
## Already disabled modules have been omitted.
|
||||
##
|
||||
|
||||
@ -8,6 +8,14 @@
|
||||
## Blacklisting prevents kernel modules from automatically starting.
|
||||
## Disabling prohibits kernel modules from starting.
|
||||
|
||||
## This configuration file is split into 4 sections:
|
||||
## 1. Hardware
|
||||
## 2. File Systems
|
||||
## 3. Networking
|
||||
## 4. Miscellaneous
|
||||
|
||||
## 1. Hardware:
|
||||
|
||||
## Bluetooth:
|
||||
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
||||
##
|
||||
@ -34,27 +42,6 @@
|
||||
#install btusb /usr/bin/disabled-bluetooth-by-security-misc
|
||||
#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
|
||||
|
||||
## CPU Model-Specific Registers (MSRs):
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
##
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
## https://github.com/Kicksecure/security-misc/issues/215
|
||||
##
|
||||
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
|
||||
##
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install jfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install reiserfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## FireWire (IEEE 1394):
|
||||
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
|
||||
##
|
||||
@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install video1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
|
||||
## Framebuffer (fbdev):
|
||||
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
|
||||
## These were all previously blacklisted.
|
||||
##
|
||||
## https://docs.kernel.org/fb/index.html
|
||||
## https://en.wikipedia.org/wiki/Linux_framebuffer
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
##
|
||||
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install neofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install viafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
|
||||
## Global Positioning Systems (GPS):
|
||||
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
|
||||
##
|
||||
@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
|
||||
install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
|
||||
install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
|
||||
|
||||
## Thunderbolt:
|
||||
## Disables Thunderbolt modules to prevent some DMA attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
|
||||
##
|
||||
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
|
||||
## 2. File Systems:
|
||||
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
|
||||
##
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install jfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install reiserfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## Network File Systems:
|
||||
## Disable uncommon network file systems to reduce attack surface.
|
||||
##
|
||||
@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
|
||||
## 2. Networking:
|
||||
|
||||
## Network Protocols:
|
||||
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
|
||||
## Previously had blacklisted eepro100 and eth1394.
|
||||
@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
|
||||
install sctp /usr/bin/disabled-network-by-security-misc
|
||||
install sctp_diag /usr/bin/disabled-network-by-security-misc
|
||||
|
||||
## Miscellaneous:
|
||||
##
|
||||
## 4. Miscellaneous:
|
||||
|
||||
## Amateur Radios:
|
||||
##
|
||||
install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## CPU Model-Specific Registers (MSRs):
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
##
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
## https://github.com/Kicksecure/security-misc/issues/215
|
||||
##
|
||||
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Floppy Disks:
|
||||
##
|
||||
install floppy /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Framebuffer (fbdev):
|
||||
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
|
||||
## These were all previously blacklisted.
|
||||
##
|
||||
## Replaced:
|
||||
## https://docs.kernel.org/fb/index.html
|
||||
## https://en.wikipedia.org/wiki/Linux_framebuffer
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
##
|
||||
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install neofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install viafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
|
||||
## Replaced Modules:
|
||||
## These legacy drivers have all been entirely replaced and superseded by newer drivers.
|
||||
## These were all previously blacklisted.
|
||||
##
|
||||
@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## USB Video Device Class:
|
||||
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
|
||||
##
|
||||
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Vivid:
|
||||
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
|
||||
##
|
||||
@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
##
|
||||
install vivid /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Thunderbolt:
|
||||
## Disables Thunderbolt modules to prevent some DMA attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
|
||||
##
|
||||
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
|
||||
## USB Video Device Class:
|
||||
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
|
||||
##
|
||||
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user