Merge remote-tracking branch 'raja/mod'

This commit is contained in:
Patrick Schleizer 2024-08-25 10:48:25 -04:00
commit 835376418d
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 113 additions and 88 deletions

View File

@ -234,17 +234,12 @@ modules from starting. This approach should not be considered comprehensive;
rather, it is a form of badness enumeration. Any potential candidates for future
disabling should first be blacklisted for a suitable amount of time.
Hardware modules:
- Optional - Bluetooth: Disabled to reduce attack surface.
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
- File Systems: Disable uncommon and legacy file systems.
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
kernel panics, and are generally only used by legacy devices.
- GPS: Disable GPS-related modules such as those required for Global Navigation
Satellite Systems (GNSS).
@ -255,20 +250,38 @@ disabling should first be blacklisted for a suitable amount of time.
- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
of the Intel PMT components.
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
File system modules:
- File Systems: Disable uncommon and legacy file systems.
- Network File Systems: Disable uncommon and legacy network file systems.
Networking modules:
- Network Protocols: A wide array of uncommon and legacy network protocols and drivers
are disabled.
- Miscellaneous: Disable an assortment of other modules such as those required
for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
have been entirely replaced by newer drivers.
Miscellaneous modules:
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
- Amateur Radios: Disabled to reduce attack surface.
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
- Floppy Disks: Disabled to reduce attack surface.
- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
kernel panics, and are generally only used by legacy devices.
- Replaced Modules: Disabled legacy drivers that have been entirely replaced and
superseded by newer drivers.
- Optional - USB Video Device Class: Disables the USB-based video streaming driver for
devices like some webcams and digital camcorders.
- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
### Other
- A systemd service clears the System.map file on boot as these contain kernel

View File

@ -22,7 +22,7 @@ blacklist sr_mod
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
## Miscellaneous:
##
## GrapheneOS:
## Partial selection of their infrastructure blacklist.
## Duplicate and already disabled modules have been omitted.
@ -39,7 +39,7 @@ blacklist snd_intel8x0
#blacklist tls
#blacklist virtio_balloon
#blacklist virtio_console
##
## Ubuntu:
## Already disabled modules have been omitted.
##

View File

@ -8,6 +8,14 @@
## Blacklisting prevents kernel modules from automatically starting.
## Disabling prohibits kernel modules from starting.
## This configuration file is split into 4 sections:
## 1. Hardware
## 2. File Systems
## 3. Networking
## 4. Miscellaneous
## 1. Hardware:
## Bluetooth:
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
##
@ -34,27 +42,6 @@
#install btusb /usr/bin/disabled-bluetooth-by-security-misc
#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
## CPU Model-Specific Registers (MSRs):
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
##
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215
##
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
## File Systems:
## Disable uncommon file systems to reduce attack surface.
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
##
install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc
install jfs /usr/bin/disabled-filesys-by-security-misc
install reiserfs /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc
## FireWire (IEEE 1394):
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
##
@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
install sbp2 /usr/bin/disabled-firewire-by-security-misc
install video1394 /usr/bin/disabled-firewire-by-security-misc
## Framebuffer (fbdev):
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
## These were all previously blacklisted.
##
## https://docs.kernel.org/fb/index.html
## https://en.wikipedia.org/wiki/Linux_framebuffer
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
##
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
install neofb /usr/bin/disabled-framebuffer-by-security-misc
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
install vfb /usr/bin/disabled-framebuffer-by-security-misc
install viafb /usr/bin/disabled-framebuffer-by-security-misc
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
## Global Positioning Systems (GPS):
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
##
@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
## Thunderbolt:
## Disables Thunderbolt modules to prevent some DMA attacks.
##
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
##
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
## 2. File Systems:
## File Systems:
## Disable uncommon file systems to reduce attack surface.
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
##
install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc
install jfs /usr/bin/disabled-filesys-by-security-misc
install reiserfs /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc
## Network File Systems:
## Disable uncommon network file systems to reduce attack surface.
##
@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
## 2. Networking:
## Network Protocols:
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
## Previously had blacklisted eepro100 and eth1394.
@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
install sctp /usr/bin/disabled-network-by-security-misc
install sctp_diag /usr/bin/disabled-network-by-security-misc
## Miscellaneous:
##
## 4. Miscellaneous:
## Amateur Radios:
##
install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
## CPU Model-Specific Registers (MSRs):
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
##
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215
##
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
## Floppy Disks:
##
install floppy /usr/bin/disabled-miscellaneous-by-security-misc
## Framebuffer (fbdev):
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
## These were all previously blacklisted.
##
## Replaced:
## https://docs.kernel.org/fb/index.html
## https://en.wikipedia.org/wiki/Linux_framebuffer
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
##
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
install neofb /usr/bin/disabled-framebuffer-by-security-misc
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
install vfb /usr/bin/disabled-framebuffer-by-security-misc
install viafb /usr/bin/disabled-framebuffer-by-security-misc
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
## Replaced Modules:
## These legacy drivers have all been entirely replaced and superseded by newer drivers.
## These were all previously blacklisted.
##
@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
## USB Video Device Class:
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
##
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
## Vivid:
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
##
@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
##
install vivid /usr/bin/disabled-miscellaneous-by-security-misc
## Thunderbolt:
## Disables Thunderbolt modules to prevent some DMA attacks.
##
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
##
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
## USB Video Device Class:
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
##
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc