Updated comments

2024-10-01 08:25:45 -04:00 · 2022-07-12 16:58:16 +10:00 · 2022-07-12 16:58:16 +10:00 · 40ec791774
commit 40ec791774
parent ef1ef9917d
1 changed files with 36 additions and 39 deletions
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@ -1,20 +1,20 @@
 ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.

-# See the following links for a community discussion and overview regarding the selections
-# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
-# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+## See the following links for a community discussion and overview regarding the selections
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules

-# Disable automatic conntrack helper assignment
-# https://phabricator.whonix.org/T486
+## Disable automatic conntrack helper assignment
+## https://phabricator.whonix.org/T486
 options nf_conntrack nf_conntrack_helper=0

-# Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
-# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
+## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/disabled-by-security-misc
 install btusb /bin/disabled-by-security-misc

-# Disable thunderbolt and firewire modules to prevent some DMA attacks
+## Disable thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/disabled-by-security-misc
 install firewire-core /bin/disabled-by-security-misc
 install firewire_core /bin/disabled-by-security-misc
@ -28,17 +28,14 @@ install dv1394 /bin/disabled-by-security-misc
 install raw1394 /bin/disabled-by-security-misc
 install video1394 /bin/disabled-by-security-misc

-# Disable CPU MSRs as they can be abused to write to arbitrary memory.
+## Disable CPU MSRs as they can be abused to write to arbitrary memory.
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 install msr /bin/disabled-by-security-misc

-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
-#
-# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
-#
-# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
-#
-# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-#
+## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
 install dccp /bin/disabled-by-security-misc
 install sctp /bin/disabled-by-security-misc
 install rds /bin/disabled-by-security-misc
@ -59,7 +56,7 @@ install p8022 /bin/disabled-by-security-misc
 install can /bin/disabled-by-security-misc
 install atm /bin/disabled-by-security-misc

-# Disable uncommon file systems to reduce attack surface
+## Disable uncommon file systems to reduce attack surface
 install cramfs /bin/disabled-by-security-misc
 install freevxfs /bin/disabled-by-security-misc
 install jffs2 /bin/disabled-by-security-misc
@ -67,7 +64,7 @@ install hfs /bin/disabled-by-security-misc
 install hfsplus /bin/disabled-by-security-misc
 install udf /bin/disabled-by-security-misc

-# Disable uncommon network file systems to reduce attack surface
+## Disable uncommon network file systems to reduce attack surface
 install cifs /bin/disabled-by-security-misc
 install nfs /bin/disabled-by-security-misc
 install nfsv3 /bin/disabled-by-security-misc
@ -75,23 +72,23 @@ install nfsv4 /bin/disabled-by-security-misc
 install ksmbd /bin/disabled-by-security-misc
 install gfs2 /bin/disabled-by-security-misc

-# Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
-# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-# https://www.openwall.com/lists/oss-security/2019/11/02/1
-# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/disabled-by-security-misc

-# Disable Intel Management Engine (ME) interface with the OS
-# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+## Disable Intel Management Engine (ME) interface with the OS
+## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /bin/disabled-by-security-misc
 install mei-me /bin/disabled-by-security-misc

-# Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
-# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
 blacklist ath_pci

-# Blacklist automatic loading of miscellaneous modules
-# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## Blacklist automatic loading of miscellaneous modules
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
 blacklist evbug
 blacklist usbmouse
 blacklist usbkbd
@ -108,23 +105,23 @@ blacklist snd_pcsp
 blacklist pcspkr
 blacklist amd76x_edac

-# Blacklist automatic loading of framebuffer drivers
-# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+## Blacklist automatic loading of framebuffer drivers
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
 blacklist aty128fb
 blacklist atyfb
-# blacklist radeonfb
+#blacklist radeonfb
 blacklist cirrusfb
 blacklist cyber2000fb
 blacklist cyblafb
 blacklist gx1fb
 blacklist hgafb
 blacklist i810fb
-# blacklist intelfb
+#blacklist intelfb
 blacklist kyrofb
 blacklist lxfb
-blacklist matroxfb_base
+blacklist matroxfb_bases
 blacklist neofb
-# blacklist nvidiafb
+#blacklist nvidiafb
 blacklist pm2fb
 blacklist rivafb
 blacklist s1d13xxxfb
@ -133,15 +130,15 @@ blacklist sisfb
 blacklist sstfb
 blacklist tdfxfb
 blacklist tridentfb
-# blacklist vesafb
+#blacklist vesafb
 blacklist vfb
 blacklist viafb
 blacklist vt8623fb
 blacklist udlfb

-# Disable CD-ROM devices
-# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
-# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+## Disable CD-ROM devices
+## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 #install cdrom /bin/disabled-by-security-misc
 #install sr_mod /bin/disabled-by-security-misc
 blacklist cdrom