mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-29 05:46:14 -05:00
Merge remote-tracking branch 'origin/master'
This commit is contained in:
commit
a40a04aaec
40
debian/control
vendored
40
debian/control
vendored
@ -97,9 +97,47 @@ Description: enhances misc security settings
|
||||
.
|
||||
All mitigations for the MDS vulnerability are enabled.
|
||||
.
|
||||
Uncommon network protocols are blacklisted as they are rarely used and
|
||||
Uncommon network protocols are blacklisted in /etc/modprobe.d/uncommon-network-protocols.conf as they are rarely used and
|
||||
may have unknown vulnerabilities.
|
||||
.
|
||||
The network protocols that are blacklisted are
|
||||
.
|
||||
* DCCP - Datagram Congestion Control Protocol
|
||||
.
|
||||
* SCTP - Stream Control Transmission Protocol
|
||||
.
|
||||
* RDS - Reliable Datagram Sockets
|
||||
.
|
||||
* TIPC - Transparent Inter-process Communication
|
||||
.
|
||||
* HDLC - High-Level Data Link Control
|
||||
.
|
||||
* AX25 - Amateur X.25
|
||||
.
|
||||
* NetRom
|
||||
.
|
||||
* X25
|
||||
.
|
||||
* ROSE
|
||||
.
|
||||
* DECnet
|
||||
.
|
||||
* Econet
|
||||
.
|
||||
* af_802154 - IEEE 802.15.4
|
||||
.
|
||||
* IPX - Internetwork Packet Exchange
|
||||
.
|
||||
* AppleTalk
|
||||
.
|
||||
* PSNAP - Subnetwork Access Protocol
|
||||
.
|
||||
* p8023 - Novell raw IEEE 802.3
|
||||
.
|
||||
* LLC - IEEE 802.2
|
||||
.
|
||||
* p8022 - IEEE 802.2
|
||||
.
|
||||
The kernel logs are restricted to root only.
|
||||
.
|
||||
A systemd service clears System.map on boot as these contain kernel symbols
|
||||
|
@ -1,4 +1,11 @@
|
||||
# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
|
||||
#
|
||||
# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
|
||||
#
|
||||
# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
|
||||
#
|
||||
# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
|
||||
#
|
||||
install dccp /bin/true
|
||||
install sctp /bin/true
|
||||
install rds /bin/true
|
||||
|
Loading…
Reference in New Issue
Block a user