diff --git a/README.md b/README.md index 8c232ae..1499540 100644 --- a/README.md +++ b/README.md @@ -344,6 +344,8 @@ Hardware modules: - Optional - Bluetooth: Disabled to reduce attack surface. +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. - GPS: Disable GPS-related modules such as those required for Global Navigation @@ -373,20 +375,22 @@ Miscellaneous modules: - Amateur Radios: Disabled to reduce attack surface. -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - - Floppy Disks: Disabled to reduce attack surface. - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause kernel panics, and are generally only used by legacy devices. +- Joysticks: Disabled to reduce attack surface. + - Replaced Modules: Disabled legacy drivers that have been entirely replaced and superseded by newer drivers. +- RDNIS - Disabled as believed to have unfixable buffer overflow issues. + - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -- Vivid: Disabled to reduce attack surface given previous vulnerabilities. +- Optional - Vivid: Disabled to reduce attack surface given previous vulnerabilities. ### Other diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared index 936e26a..f3bd87b 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared @@ -11,13 +11,13 @@ ## CD-ROM/DVD: ## Blacklist CD-ROM and DVD modules. ## Not disabled by default due to potential future ISO plans. +## Can uncomment the bottom pair to disable both modules. ## ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 ## blacklist cdrom blacklist sr_mod -## #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc @@ -26,21 +26,17 @@ blacklist sr_mod ## GrapheneOS: ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. +## Currently snd_intel8x0 is required by some users for VirtualBox audio device ICH AC97. ## -## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf +## https://github.com/GrapheneOS/infrastructure/tree/main/etc/modprobe.d +## https://www.kicksecure.com/wiki/Dev/audio +## https://github.com/Kicksecure/security-misc/issues/271 ## #blacklist cfg80211 #blacklist intel_agp #blacklist ip_tables -blacklist joydev #blacklist mousedev #blacklist psmouse -## TODO: Re-check in Debian trixie -## In GrapheneOS list, yes, "should" be out-commented here. -## But not actually out-commented. -## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. -## https://www.kicksecure.com/wiki/Dev/audio -## https://github.com/Kicksecure/security-misc/issues/271 #blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 9c5c380..fb06543 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -17,11 +17,10 @@ ## 1. Hardware: ## Bluetooth: -## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. +## Can disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. +## Replaced with a privacy and security preserving default Bluetooth configuration for better usability. ## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -## -## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. ## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc @@ -42,6 +41,18 @@ #install btusb /usr/bin/disabled-bluetooth-by-security-misc #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc +## CPU Model-Specific Registers (MSRs): +## Can disable CPU MSRs as they can be abused to write to arbitrary memory. +## +## https://en.wikipedia.org/wiki/Model-specific_register +## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc +#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc +#install msr /usr/bin/disabled-cpumsr-by-security-misc + ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. ## @@ -96,6 +107,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Platform Monitoring Technology (PMT) Telemetry: ## Disable certain functionalities of the Intel PMT components. ## +## https://www.intel.com/content/www/us/en/content-details/710389/intel-platform-monitoring-technology-intel-pmt-technical-specification.html ## https://github.com/intel/Intel-PMT ## install pmt_class /usr/bin/disabled-intelpmt-by-security-misc @@ -117,28 +129,49 @@ install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc ## Disable uncommon file systems to reduce attack surface. ## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## +## https://docs.kernel.org/filesystems/index.html +## https://github.com/secureblue/secureblue/tree/live/files/system/usr/lib/modprobe.d +## +install adfs /usr/bin/disabled-filesys-by-security-misc +install affs /usr/bin/disabled-filesys-by-security-misc +install afs /usr/bin/disabled-filesys-by-security-misc +install befs /usr/bin/disabled-filesys-by-security-misc +install ceph /usr/bin/disabled-filesys-by-security-misc +install coda /usr/bin/disabled-filesys-by-security-misc install cramfs /usr/bin/disabled-filesys-by-security-misc +install ecryptfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc install jfs /usr/bin/disabled-filesys-by-security-misc +install kafs /usr/bin/disabled-filesys-by-security-misc +install minix /usr/bin/disabled-filesys-by-security-misc +install nilfs2 /usr/bin/disabled-filesys-by-security-misc +install ocfs2 /usr/bin/disabled-filesys-by-security-misc +install orangefs /usr/bin/disabled-filesys-by-security-misc install reiserfs /usr/bin/disabled-filesys-by-security-misc +install romfs /usr/bin/disabled-filesys-by-security-misc +install sysv /usr/bin/disabled-filesys-by-security-misc +install ubifs /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc +install ufs /usr/bin/disabled-filesys-by-security-misc +install zonefs /usr/bin/disabled-filesys-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## +install 9p /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -## -## Common Internet File System (CIFS): + +## Network File System - Common Internet File System (CIFS): ## install cifs /usr/bin/disabled-netfilesys-by-security-misc install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc -## -## Network File System (NFS): + +## Network File System - Network File System (NFS): ## install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc @@ -163,7 +196,6 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -#install brcm80211 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc @@ -177,15 +209,15 @@ install p8023 /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc -## -## Asynchronous Transfer Mode (ATM): + +## Network Protocol - Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc install ueagle-atm /usr/bin/disabled-network-by-security-misc install usbatm /usr/bin/disabled-network-by-security-misc install xusbatm /usr/bin/disabled-network-by-security-misc -## -## Controller Area Network (CAN) Protocol: + +## Network Protocol - Controller Area Network (CAN): ## install c_can /usr/bin/disabled-network-by-security-misc install c_can_pci /usr/bin/disabled-network-by-security-misc @@ -208,19 +240,19 @@ install slcan /usr/bin/disabled-network-by-security-misc install ucan /usr/bin/disabled-network-by-security-misc install vxcan /usr/bin/disabled-network-by-security-misc install vcan /usr/bin/disabled-network-by-security-misc -## -## Transparent Inter Process Communication (TIPC): + +## Network Protocol - Transparent Inter Process Communication (TIPC): ## install tipc /usr/bin/disabled-network-by-security-misc install tipc_diag /usr/bin/disabled-network-by-security-misc -## -## Reliable Datagram Sockets (RDS): + +## Network Protocol - Reliable Datagram Sockets (RDS): ## install rds /usr/bin/disabled-network-by-security-misc install rds_rdma /usr/bin/disabled-network-by-security-misc install rds_tcp /usr/bin/disabled-network-by-security-misc -## -## Stream Control Transmission Protocol (SCTP): + +## Network Protocol - Stream Control Transmission Protocol (SCTP): ## install sctp /usr/bin/disabled-network-by-security-misc install sctp_diag /usr/bin/disabled-network-by-security-misc @@ -231,14 +263,6 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc ## install hamradio /usr/bin/disabled-miscellaneous-by-security-misc -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - ## Floppy Disks: ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc @@ -280,43 +304,48 @@ install viafb /usr/bin/disabled-framebuffer-by-security-misc install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc install udlfb /usr/bin/disabled-framebuffer-by-security-misc +## Joysticks: +## +## https://docs.kernel.org/input/joydev/joystick.html +## +install joydev /usr/bin/disabled-miscellaneous-by-security-misc + ## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. -## These were all previously blacklisted. +## Many of these were previously blacklisted. ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install brcm80211 /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc +## RNDIS: +## Disabled as believed to have unfixable buffer overflow issues impossible to make secure. +## Used by some network devices common with Android USB tethering. +## +## https://en.wikipedia.org/wiki/RNDIS +## https://lkml.org/lkml/2022/11/23/728 +## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/ +## +install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc +install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc + ## USB Video Device Class: ## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. ## #install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc ## Vivid: -## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## Can disable the vivid kernel module since it has been the cause of multiple vulnerabilities. +## Required only for running tests associated with the Qubes Video Companion. ## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -## -## No longer disabled by default: ## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 ## https://github.com/Kicksecure/security-misc/issues/298 ## #install vivid /usr/bin/disabled-miscellaneous-by-security-misc - -## RNDIS: -## Disable the RNDIS drivers used by some network devices (common with Android -## USB tethering). RNDIS as a protocol is believed to have supposedly -## unfixable buffer overflow issues and may be impossible to implement in a -## secure fashion. -## -## https://lkml.org/lkml/2022/11/23/728 -## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/ -## -install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc -install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared new file mode 100755 index 0000000..a6b0223 --- /dev/null +++ b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This CPU MSR kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1