mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Update module disabling presentation
This commit is contained in:
Raja Grewal
parent
faa9181a6c
commit
9e6facda70
15
README.md
15
README.md
@ -200,6 +200,10 @@ modules from starting. This approach should not be considered comprehensive;
|
||||
rather, it is a form of badness enumeration. Any potential candidates for future
|
||||
disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
- Optional - Bluetooth: Disabled to reduce attack surface.
|
||||
|
||||
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||
@ -207,21 +211,26 @@ disabling should first be blacklisted for a suitable amount of time.
|
||||
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
||||
Satellite Systems (GNSS).
|
||||
|
||||
- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the
|
||||
Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239
|
||||
- Optional - Intel Management Engine (ME): Provides some disabling of the interface
|
||||
between the Intel ME and the OS. May lead to breakages in places such as security,
|
||||
power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239
|
||||
|
||||
- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality
|
||||
of the Intel PMT components.
|
||||
|
||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||
|
||||
- Network Protocols: A wide array of uncommon and legacy network protocols are disabled.
|
||||
- Network Protocols: A wide array of uncommon and legacy network protocols and drivers
|
||||
are disabled.
|
||||
|
||||
- Miscellaneous: Disable an assortment of other modules such as those required
|
||||
for amateur radio, floppy disks, and vivid.
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
- Optional - USB Video Device Class: Disables the USB-based video streaming driver for
|
||||
devices like some webcams and digital camcorders.
|
||||
|
||||
### Other
|
||||
|
||||
- A systemd service clears the System.map file on boot as these contain kernel
|
||||
|
||||
@ -14,6 +14,7 @@
|
||||
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||
##
|
||||
## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
|
||||
## https://github.com/Kicksecure/security-misc/pull/145
|
||||
##
|
||||
#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
|
||||
#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc
|
||||
@ -43,7 +44,7 @@
|
||||
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
|
||||
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
|
||||
##
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
@ -82,13 +83,14 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
|
||||
|
||||
## Intel Management Engine (ME):
|
||||
## Partially disable the Intel ME interface with the OS.
|
||||
## ME functionality has increasing become more intertwined with basic system operation.
|
||||
## Disabling may lead to breakages places such as security, power management, display, and DRM.
|
||||
## ME functionality has increasing become more intertwined with basic Intel system operation.
|
||||
## Disabling may lead to breakages in places such as security, power management, display, and DRM.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
|
||||
## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
|
||||
## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
|
||||
## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
|
||||
## https://github.com/Kicksecure/security-misc/issues/239
|
||||
##
|
||||
#install mei /usr/bin/disabled-intelme-by-security-misc
|
||||
#install mei-gsc /usr/bin/disabled-intelme-by-security-misc
|
||||
@ -219,11 +221,6 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
##
|
||||
install floppy /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
##
|
||||
## USB Video Device Class:
|
||||
## Disables USB-based video streaming driver for devices like webcams and digital camcorders.
|
||||
##
|
||||
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
##
|
||||
## Vivid:
|
||||
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
|
||||
##
|
||||
@ -241,3 +238,8 @@ install vivid /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
|
||||
## USB Video Device Class:
|
||||
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
|
||||
##
|
||||
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user