From 2d27bdd808374a71cd9d7187326be99420411583 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 9 Jul 2019 21:55:37 +0000 Subject: [PATCH 1/6] Blacklist more uncommon network protocols --- etc/modprobe.d/uncommon-network-protocols.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf index 41da209..ef22cde 100644 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ b/etc/modprobe.d/uncommon-network-protocols.conf @@ -4,3 +4,11 @@ install sctp /bin/true install rds /bin/true install tipc /bin/true install n-hdlc /bin/true +install ax25 /bin/true +install netrom /bin/true +install x25 /bin/true +install rose /bin/true +install decnet /bin/true +install econet /bin/true +install rds /bin/true +install af_802154 /bin/true From a8b44c75f9ca6df1460ce0feca647f2f370f8833 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 9 Jul 2019 21:57:07 +0000 Subject: [PATCH 2/6] Update control --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index ba36d93..542ad72 100644 --- a/debian/control +++ b/debian/control @@ -97,7 +97,7 @@ Description: enhances misc security settings . All mitigations for the MDS vulnerability are enabled. . - DCCP, SCTP, TIPC, RDS and HDLC are blacklisted as they are rarely used and + DCCP, SCTP, TIPC, RDS, HDLC, ax25, netrom, x25, rose, decnet, econet and af_80215 are blacklisted as they are rarely used and may have unknown vulnerabilities. . The kernel logs are restricted to root only. From d70440aaeda5f1a1ab0459d02f5f5e56c808bbde Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 9 Jul 2019 21:57:37 +0000 Subject: [PATCH 3/6] Remove duplicate --- etc/modprobe.d/uncommon-network-protocols.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf index ef22cde..b8d106a 100644 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ b/etc/modprobe.d/uncommon-network-protocols.conf @@ -10,5 +10,4 @@ install x25 /bin/true install rose /bin/true install decnet /bin/true install econet /bin/true -install rds /bin/true install af_802154 /bin/true From 4058e283a542900e7c8bcc060012d7c33964e36a Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 10 Jul 2019 14:27:19 +0000 Subject: [PATCH 4/6] Blacklist more uncommon network protocols --- etc/modprobe.d/uncommon-network-protocols.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf index b8d106a..6bbc37d 100644 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ b/etc/modprobe.d/uncommon-network-protocols.conf @@ -11,3 +11,9 @@ install rose /bin/true install decnet /bin/true install econet /bin/true install af_802154 /bin/true +install ipx /bin/true +install appletalk /bin/true +install psnap /bin/true +install p8023 /bin/true +install llc /bin/true +install p8022 /bin/true From 1e4d3495167c0305ec1fce8568658a06750df674 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 10 Jul 2019 14:28:39 +0000 Subject: [PATCH 5/6] Update control --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 542ad72..5f1fe60 100644 --- a/debian/control +++ b/debian/control @@ -97,7 +97,7 @@ Description: enhances misc security settings . All mitigations for the MDS vulnerability are enabled. . - DCCP, SCTP, TIPC, RDS, HDLC, ax25, netrom, x25, rose, decnet, econet and af_80215 are blacklisted as they are rarely used and + Uncommon network protocols are blacklisted as they are rarely used and may have unknown vulnerabilities. . The kernel logs are restricted to root only. From 932524cbd1b15df06bd4e395dc391dd489ba100f Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 10 Jul 2019 15:28:48 +0000 Subject: [PATCH 6/6] Move disable-coredumps.conf to correct position --- lib/systemd/{system => }/coredump.conf.d/disable-coredumps.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename lib/systemd/{system => }/coredump.conf.d/disable-coredumps.conf (100%) diff --git a/lib/systemd/system/coredump.conf.d/disable-coredumps.conf b/lib/systemd/coredump.conf.d/disable-coredumps.conf similarity index 100% rename from lib/systemd/system/coredump.conf.d/disable-coredumps.conf rename to lib/systemd/coredump.conf.d/disable-coredumps.conf