mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Update README.md relating to modprobe
This commit is contained in:
Raja Grewal
parent
41a3bf92fb
commit
5f10cc8bcf
72
README.md
72
README.md
@ -124,62 +124,44 @@ modules for the user, like drivers etc., given they are plugged in on startup.
|
|||||||
|
|
||||||
#### Blacklist and disable kernel modules
|
#### Blacklist and disable kernel modules
|
||||||
|
|
||||||
Certain kernel modules are blacklisted and disabled by default to reduce attack
|
Certain kernel modules are blacklisted by default to reduce attack surface via
|
||||||
surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and
|
`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
|
||||||
`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively.
|
modules from automatically starting.
|
||||||
|
|
||||||
- Deactivates Netfilter's connection tracking helper - this module increases
|
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
||||||
kernel attack surface by enabling superfluous functionality such as IRC
|
|
||||||
parsing in the kernel. Hence, this feature is disabled.
|
|
||||||
|
|
||||||
- Thunderbolt and numerous FireWire kernel modules are also disabled as they
|
- Conntrack: Deactivates Netfilter's connection tracking helper - this module
|
||||||
are often vulnerable to DMA attacks.
|
increases kernel attack surface by enabling superfluous functionality such
|
||||||
|
as IRC parsing in the kernel. Hence, this feature is disabled.
|
||||||
|
|
||||||
- The MSR kernel module is disabled to prevent CPU MSRs from being abused to
|
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||||
write to arbitrary memory.
|
kernel panics, and are generally only used by legacy devices.
|
||||||
|
|
||||||
- Uncommon network protocols are blacklisted. This includes:
|
- Miscellaneous: Blacklist an assortment other modules to prevent them from
|
||||||
|
automatically loading.
|
||||||
|
|
||||||
- DCCP - Datagram Congestion Control Protocol
|
Specific kernel modules are entirely disabled to reduce attack surface via
|
||||||
- SCTP - Stream Control Transmission Protocol
|
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
|
||||||
- RDS - Reliable Datagram Sockets
|
modules from starting. This approach should not be considered comprehensive,
|
||||||
- TIPC - Transparent Inter-process Communication
|
rather it is a form of badness enumeration.
|
||||||
- HDLC - High-Level Data Link Control
|
|
||||||
- AX25 - Amateur X.25
|
|
||||||
- NetRom
|
|
||||||
- X25
|
|
||||||
- ROSE
|
|
||||||
- DECnet
|
|
||||||
- Econet
|
|
||||||
- af_802154 - IEEE 802.15.4
|
|
||||||
- IPX - Internetwork Packet Exchange
|
|
||||||
- AppleTalk
|
|
||||||
- PSNAP - Subnetwork Access Protocol
|
|
||||||
- p8023 - Novell raw IEEE 802.3
|
|
||||||
- p8022 - IEEE 802.2
|
|
||||||
- CAN - Controller Area Network
|
|
||||||
- ATM
|
|
||||||
|
|
||||||
- Disables a large array of uncommon file systems and network file systems
|
- File Systems: Disable uncommon and legacy file systems.
|
||||||
that reduces the attack surface especially against legacy approaches.
|
|
||||||
|
|
||||||
- The vivid kernel module is only required for testing and has been the cause
|
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||||
of multiple vulnerabilities so it is disabled.
|
|
||||||
|
|
||||||
- Provides some disabling of the interface between the [Intel Management
|
- GPS: Disables GPS-related modules responsible systems such as for Global
|
||||||
Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html)
|
Navigation Satellite System (GNSS).
|
||||||
and the OS.
|
|
||||||
|
|
||||||
- Disables several kernel modules responsible for GPS such as GNSS (Global
|
- Intel Management Engine (ME): Provides some disabling of the interface between the
|
||||||
Navigation Satellite System).
|
Intel ME and the OS.
|
||||||
|
|
||||||
- Incorporates much of
|
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||||
[Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco)
|
|
||||||
default blacklist of modules to be blocked from automatically loading.
|
|
||||||
However, they are still permitted to load.
|
|
||||||
|
|
||||||
- Blocks automatic loading of the modules needed to use of CD-ROM devices by
|
- Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
|
||||||
default. Not completely disabled yet.
|
|
||||||
|
- Miscellaneous: Disable an assortment other modules such as vivid.
|
||||||
|
|
||||||
|
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||||
|
|
||||||
### Other
|
### Other
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user