Merge remote-tracking branch 'raja/kernel_modules'

This commit is contained in:
Patrick Schleizer 2024-07-15 12:28:03 -04:00
commit 41f0b53dd6
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
10 changed files with 110 additions and 22 deletions

View File

@ -150,8 +150,8 @@ disabling should first be blacklisted for a suitable amount of time.
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
- GPS: Disables GPS-related modules responsible systems such as for Global - GPS: Disable GPS-related modules such as those required for Global Navigation
Navigation Satellite System (GNSS). Satellite Systems (GNSS).
- Intel Management Engine (ME): Provides some disabling of the interface between the - Intel Management Engine (ME): Provides some disabling of the interface between the
Intel ME and the OS. Intel ME and the OS.
@ -160,7 +160,8 @@ disabling should first be blacklisted for a suitable amount of time.
- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
- Miscellaneous: Disable an assortment other modules such as vivid. - Miscellaneous: Disable an assortment other modules such as those required
for amateur radio, floppy disks, and vivid.
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks.

View File

@ -31,6 +31,7 @@ rm_conffile /etc/modprobe.d/vivid.conf
rm_conffile /etc/modprobe.d/blacklist-dma.conf rm_conffile /etc/modprobe.d/blacklist-dma.conf
rm_conffile /etc/modprobe.d/msr.conf rm_conffile /etc/modprobe.d/msr.conf
rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf
rm_conffile /etc/modprobe.d/30_security-misc.conf
## renamed to /etc/security/limits.d/30_security-misc.conf ## renamed to /etc/security/limits.d/30_security-misc.conf
rm_conffile /etc/security/limits.d/disable-coredumps.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf
@ -66,3 +67,6 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
rm_conffile /etc/permission-hardening.d/30_default.conf rm_conffile /etc/permission-hardening.d/30_default.conf
## repalced with /usr/bin/disabled-miscellaneous-by-security-misc
rm_conffile /usr/bin/disabled-vivid-by-security-misc

View File

@ -63,11 +63,8 @@ blacklist ath_pci
blacklist amd76x_edac blacklist amd76x_edac
blacklist asus_acpi blacklist asus_acpi
blacklist bcm43xx blacklist bcm43xx
blacklist eepro100
blacklist eth1394
blacklist evbug blacklist evbug
blacklist de4x5 blacklist de4x5
blacklist garmin_gps
blacklist pcspkr blacklist pcspkr
blacklist prism54 blacklist prism54
blacklist snd_aw2 blacklist snd_aw2

View File

@ -16,7 +16,22 @@
## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
## ##
#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc
#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc
#install btbcm /usr/bin/disabled-bluetooth-by-security-misc
#install btintel /usr/bin/disabled-bluetooth-by-security-misc
#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc
#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc
#install btmtk /usr/bin/disabled-bluetooth-by-security-misc
#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc
#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc
#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc
#install btqca /usr/bin/disabled-bluetooth-by-security-misc
#install btrsi /usr/bin/disabled-bluetooth-by-security-misc
#install btrtl /usr/bin/disabled-bluetooth-by-security-misc
#install btsdio /usr/bin/disabled-bluetooth-by-security-misc
#install btusb /usr/bin/disabled-bluetooth-by-security-misc #install btusb /usr/bin/disabled-bluetooth-by-security-misc
#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
## CPU Model-Specific Registers (MSRs): ## CPU Model-Specific Registers (MSRs):
## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
@ -24,17 +39,19 @@
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215 ## https://github.com/Kicksecure/security-misc/issues/215
## ##
#install msr /usr/bin/disabled-msr-by-security-misc #install msr /usr/bin/disabled-miscellaneous-by-security-misc
## File Systems: ## File Systems:
## Disable uncommon file systems to reduce attack surface. ## Disable uncommon file systems to reduce attack surface.
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. ## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
## ##
install cramfs /usr/bin/disabled-filesys-by-security-misc install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc
install jfs /usr/bin/disabled-filesys-by-security-misc
install reiserfs /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc
## FireWire (IEEE 1394): ## FireWire (IEEE 1394):
@ -55,6 +72,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc
## Global Positioning Systems (GPS): ## Global Positioning Systems (GPS):
## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
## ##
install garmin_gps /usr/bin/disabled-gps-by-security-misc
install gnss /usr/bin/disabled-gps-by-security-misc install gnss /usr/bin/disabled-gps-by-security-misc
install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc
install gnss-serial /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc
@ -73,10 +91,23 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc
## Network File Systems: ## Network File Systems:
## Disable uncommon network file systems to reduce attack surface. ## Disable uncommon network file systems to reduce attack surface.
## ##
install cifs /usr/bin/disabled-netfilesys-by-security-misc
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
##
## Common Internet File System (CIFS):
##
install cifs /usr/bin/disabled-netfilesys-by-security-misc
install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc
install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc
##
## Network File System (NFS):
##
install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc
install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc
install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc
install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc
install nfsd /usr/bin/disabled-netfilesys-by-security-misc
install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
@ -84,31 +115,84 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
## ##
## https://tails.boum.org/blueprint/blacklist_modules/ ## https://tails.boum.org/blueprint/blacklist_modules/
## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
## ##
install af_802154 /usr/bin/disabled-network-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc
install appletalk /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc
install atm /usr/bin/disabled-network-by-security-misc
install ax25 /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc
install can /usr/bin/disabled-network-by-security-misc install brcm80211 /usr/bin/disabled-network-by-security-misc
install decnet /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc
install dccp /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc
install econet /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc
install eepro100 /usr/bin/disabled-network-by-security-misc
install eth1394 /usr/bin/disabled-network-by-security-misc
install ipx /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc
install n-hdlc /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc
install netrom /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc
install p8022 /usr/bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc
install p8023 /usr/bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc
install psnap /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc
install rds /usr/bin/disabled-network-by-security-misc
install rose /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc
install sctp /usr/bin/disabled-network-by-security-misc
install tipc /usr/bin/disabled-network-by-security-misc
install x25 /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc
##
## Asynchronous Transfer Mode (ATM):
##
install atm /usr/bin/disabled-network-by-security-misc
install ueagle-atm /usr/bin/disabled-network-by-security-misc
install usbatm /usr/bin/disabled-network-by-security-misc
install xusbatm /usr/bin/disabled-network-by-security-misc
##
## Controller Area Network (CAN) Protocol:
##
install c_can /usr/bin/disabled-network-by-security-misc
install c_can_pci /usr/bin/disabled-network-by-security-misc
install c_can_platform /usr/bin/disabled-network-by-security-misc
install can /usr/bin/disabled-network-by-security-misc
install can-bcm /usr/bin/disabled-network-by-security-misc
install can-dev /usr/bin/disabled-network-by-security-misc
install can-gw /usr/bin/disabled-network-by-security-misc
install can-isotp /usr/bin/disabled-network-by-security-misc
install can-raw /usr/bin/disabled-network-by-security-misc
install can-j1939 /usr/bin/disabled-network-by-security-misc
install can327 /usr/bin/disabled-network-by-security-misc
install ifi_canfd /usr/bin/disabled-network-by-security-misc
install janz-ican3 /usr/bin/disabled-network-by-security-misc
install m_can /usr/bin/disabled-network-by-security-misc
install m_can_pci /usr/bin/disabled-network-by-security-misc
install m_can_platform /usr/bin/disabled-network-by-security-misc
install phy-can-transceiver /usr/bin/disabled-network-by-security-misc
install slcan /usr/bin/disabled-network-by-security-misc
install ucan /usr/bin/disabled-network-by-security-misc
install vxcan /usr/bin/disabled-network-by-security-misc
install vcan /usr/bin/disabled-network-by-security-misc
##
## Transparent Inter Process Communication (TIPC):
##
install tipc /usr/bin/disabled-network-by-security-misc
install tipc_diag /usr/bin/disabled-network-by-security-misc
##
## Reliable Datagram Sockets (RDS):
##
install rds /usr/bin/disabled-network-by-security-misc
install rds_rdma /usr/bin/disabled-network-by-security-misc
install rds_tcp /usr/bin/disabled-network-by-security-misc
##
## Stream Control Transmission Protocol (SCTP):
##
install sctp /usr/bin/disabled-network-by-security-misc
install sctp_diag /usr/bin/disabled-network-by-security-misc
## Miscellaneous: ## Miscellaneous:
## ##
## Amateur Radios:
##
install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
##
## Floppy Disks:
##
install floppy /usr/bin/disabled-miscellaneous-by-security-misc
##
## Vivid: ## Vivid:
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
## ##
@ -116,11 +200,13 @@ install x25 /usr/bin/disabled-network-by-security-misc
## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
## ##
install vivid /usr/bin/disabled-vivid-by-security-misc install vivid /usr/bin/disabled-miscellaneous-by-security-misc
## Thunderbolt: ## Thunderbolt:
## Disables Thunderbolt modules to prevent some DMA attacks. ## Disables Thunderbolt modules to prevent some DMA attacks.
## ##
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
## ##
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1