From 9449f5017a6feff7e70d625d54d75d514ed2e596 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Thu, 3 Oct 2019 20:45:14 +0000
Subject: [PATCH] Create hide-hardware-info

---
 usr/lib/security-misc/hide-hardware-info | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 usr/lib/security-misc/hide-hardware-info

diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info
new file mode 100644
index 0000000..587fd5d
--- /dev/null
+++ b/usr/lib/security-misc/hide-hardware-info
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+## sysfs and debugfs expose a lot of information
+## that should not be accessible by an unprivileged
+## user which includes hardware info, debug info and
+## more. This restricts /sys, /proc/cpuinfo, /proc/bus
+## and /proc/scsi to the root user only. This hides
+## many hardware identifiers from ordinary users
+## and increases security.
+for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
+do
+  if [ -e "${i}" ]; then
+    chmod og-rwx "${i}"
+  else
+    ## /proc/scsi doesn't exist on Debian so errors
+    ## are expected here.
+    if ! [ "${i}" = "/proc/scsi" ]; then
+      echo "ERROR: ${i} could not be found."
+    fi
+  fi
+done