Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update module disabling presentation

Browse Source
This commit is contained in:
Raja Grewal 2024-07-18 12:21:37 +10:00
parent faa9181a6c
commit 9e6facda70
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -200,6 +200,10 @@ modules from starting. This approach should not be considered comprehensive;
rather, it is a form of badness enumeration. Any potential candidates for future rather, it is a form of badness enumeration. Any potential candidates for future
disabling should first be blacklisted for a suitable amount of time. disabling should first be blacklisted for a suitable amount of time.
- Optional - Bluetooth: Disabled to reduce attack surface.
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
- File Systems: Disable uncommon and legacy file systems. - File Systems: Disable uncommon and legacy file systems.
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
@ -207,21 +211,26 @@ disabling should first be blacklisted for a suitable amount of time.
- GPS: Disable GPS-related modules such as those required for Global Navigation - GPS: Disable GPS-related modules such as those required for Global Navigation
Satellite Systems (GNSS). Satellite Systems (GNSS).
- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the - Optional - Intel Management Engine (ME): Provides some disabling of the interface
Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 between the Intel ME and the OS. May lead to breakages in places such as security,
power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239
- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality - Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality
of the Intel PMT components. of the Intel PMT components.
- Network File Systems: Disable uncommon and legacy network file systems. - Network File Systems: Disable uncommon and legacy network file systems.
- Network Protocols: A wide array of uncommon and legacy network protocols are disabled. - Network Protocols: A wide array of uncommon and legacy network protocols and drivers
are disabled.
- Miscellaneous: Disable an assortment of other modules such as those required - Miscellaneous: Disable an assortment of other modules such as those required
for amateur radio, floppy disks, and vivid. for amateur radio, floppy disks, and vivid.
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
- Optional - USB Video Device Class: Disables the USB-based video streaming driver for
devices like some webcams and digital camcorders.
### Other ### Other
- A systemd service clears the System.map file on boot as these contain kernel - A systemd service clears the System.map file on boot as these contain kernel

18
etc/modprobe.d/30_security-misc_disable.conf
View File

@ -14,6 +14,7 @@
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
## ##
## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
## https://github.com/Kicksecure/security-misc/pull/145
## ##
#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc #install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc
@ -43,7 +44,7 @@
## File Systems: ## File Systems:
## Disable uncommon file systems to reduce attack surface. ## Disable uncommon file systems to reduce attack surface.
## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
## ##
install cramfs /usr/bin/disabled-filesys-by-security-misc install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc
@ -82,13 +83,14 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
## Intel Management Engine (ME): ## Intel Management Engine (ME):
## Partially disable the Intel ME interface with the OS. ## Partially disable the Intel ME interface with the OS.
## ME functionality has increasing become more intertwined with basic system operation. ## ME functionality has increasing become more intertwined with basic Intel system operation.
## Disabling may lead to breakages places such as security, power management, display, and DRM. ## Disabling may lead to breakages in places such as security, power management, display, and DRM.
## ##
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
## https://github.com/Kicksecure/security-misc/issues/239
## ##
#install mei /usr/bin/disabled-intelme-by-security-misc #install mei /usr/bin/disabled-intelme-by-security-misc
#install mei-gsc /usr/bin/disabled-intelme-by-security-misc #install mei-gsc /usr/bin/disabled-intelme-by-security-misc
@ -219,11 +221,6 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
## ##
install floppy /usr/bin/disabled-miscellaneous-by-security-misc install floppy /usr/bin/disabled-miscellaneous-by-security-misc
## ##
## USB Video Device Class:
## Disables USB-based video streaming driver for devices like webcams and digital camcorders.
##
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
##
## Vivid: ## Vivid:
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
## ##
@ -241,3 +238,8 @@ install vivid /usr/bin/disabled-miscellaneous-by-security-misc
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
## USB Video Device Class:
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
##
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc