From 51f7776bc8722752d53fc503b0c79564d8715d4c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:56:12 +1000 Subject: [PATCH] Disable more network protocols/drivers --- .../30_security-misc_blacklist.conf | 2 - etc/modprobe.d/30_security-misc_disable.conf | 57 +++++++++++++++++-- 2 files changed, 51 insertions(+), 8 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c192c3c..c35af0b 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -63,8 +63,6 @@ blacklist ath_pci blacklist amd76x_edac blacklist asus_acpi blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 blacklist evbug blacklist de4x5 blacklist pcspkr diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 423aced..9ba5f84 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -115,28 +115,73 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## ## https://tails.boum.org/blueprint/blacklist_modules/ -## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc -install atm /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc +install brcm80211 /bin/true /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc +## +## Asynchronous Transfer Mode (ATM): +## +install atm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc +## +## Controller Area Network (CAN) Protocol: +## +install c_can /usr/bin/disabled-network-by-security-misc +install c_can_pci /usr/bin/disabled-network-by-security-misc +install c_can_platform /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install can-bcm /usr/bin/disabled-network-by-security-misc +install can-dev /usr/bin/disabled-network-by-security-misc +install can-gw /usr/bin/disabled-network-by-security-misc +install can-isotp /usr/bin/disabled-network-by-security-misc +install can-raw /usr/bin/disabled-network-by-security-misc +install can-j1939 /usr/bin/disabled-network-by-security-misc +install can327 /usr/bin/disabled-network-by-security-misc +install ifi_canfd /usr/bin/disabled-network-by-security-misc +install janz-ican3 /usr/bin/disabled-network-by-security-misc +install m_can /usr/bin/disabled-network-by-security-misc +install m_can_pci /usr/bin/disabled-network-by-security-misc +install m_can_platform /usr/bin/disabled-network-by-security-misc +install phy-can-transceiver /usr/bin/disabled-network-by-security-misc +install slcan /usr/bin/disabled-network-by-security-misc +install ucan /usr/bin/disabled-network-by-security-misc +install vxcan /usr/bin/disabled-network-by-security-misc +install vcan /usr/bin/disabled-network-by-security-misc +## +## Transparent Inter Process Communication (TIPC): +## +install tipc /usr/bin/disabled-network-by-security-misc +install tipc_diag /usr/bin/disabled-network-by-security-misc +## +## Reliable Datagram Sockets (RDS): +## +install rds /usr/bin/disabled-network-by-security-misc +install rds_rdma /usr/bin/disabled-network-by-security-misc +install rds_tcp /usr/bin/disabled-network-by-security-misc +## +## Stream Control Transmission Protocol (SCTP): +## +install sctp /usr/bin/disabled-network-by-security-misc +install sctp_diag /usr/bin/disabled-network-by-security-misc ## Miscellaneous: ##