mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 18:29:27 -05:00
Merge remote-tracking branch 'raja/modprobe'
This commit is contained in:
Patrick Schleizer
commit
ad860063ab
11
README.md
11
README.md
@ -124,16 +124,16 @@ modules for the user, like drivers etc., given they are plugged in on startup.
|
||||
|
||||
#### Blacklist and disable kernel modules
|
||||
|
||||
Conntrack: Deactivates Netfilter's connection tracking helper module which
|
||||
increases kernel attack surface by enabling superfluous functionality such
|
||||
as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`.
|
||||
|
||||
Certain kernel modules are blacklisted by default to reduce attack surface via
|
||||
`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
|
||||
modules from automatically starting.
|
||||
|
||||
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
||||
|
||||
- Conntrack: Deactivates Netfilter's connection tracking helper - this module
|
||||
increases kernel attack surface by enabling superfluous functionality such
|
||||
as IRC parsing in the kernel. Hence, this feature is disabled.
|
||||
|
||||
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
@ -143,7 +143,8 @@ modules from automatically starting.
|
||||
Specific kernel modules are entirely disabled to reduce attack surface via
|
||||
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
|
||||
modules from starting. This approach should not be considered comprehensive,
|
||||
rather it is a form of badness enumeration.
|
||||
rather it is a form of badness enumeration. Any potential candidates for future
|
||||
disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
|
||||
2
debian/security-misc.maintscript
vendored
2
debian/security-misc.maintscript
vendored
@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
|
||||
rm_conffile /etc/sysctl.d/tcp_hardening.conf
|
||||
rm_conffile /etc/sysctl.d/tcp_sack.conf
|
||||
|
||||
## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
|
||||
## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf
|
||||
rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
|
||||
rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
|
||||
rm_conffile /etc/modprobe.d/vivid.conf
|
||||
|
||||
@ -11,24 +11,20 @@
|
||||
## CD-ROM/DVD:
|
||||
## Blacklist CD-ROM and DVD modules.
|
||||
## Do not disable by default for potential future ISO plans.
|
||||
##
|
||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||
#
|
||||
##
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
#
|
||||
##
|
||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
|
||||
## Conntrack:
|
||||
## Disable automatic conntrack helper assignment.
|
||||
## https://phabricator.whonix.org/T486
|
||||
#
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
|
||||
## Framebuffer Drivers:
|
||||
##
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
#
|
||||
##
|
||||
blacklist aty128fb
|
||||
blacklist atyfb
|
||||
blacklist cirrusfb
|
||||
@ -59,9 +55,10 @@ blacklist vt8623fb
|
||||
blacklist udlfb
|
||||
|
||||
## Miscellaneous:
|
||||
##
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
#
|
||||
##
|
||||
blacklist ath_pci
|
||||
blacklist amd76x_edac
|
||||
blacklist asus_acpi
|
||||
|
||||
11
etc/modprobe.d/30_security-misc_conntrack.conf
Normal file
11
etc/modprobe.d/30_security-misc_conntrack.conf
Normal file
@ -0,0 +1,11 @@
|
||||
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Conntrack:
|
||||
## Disable Netfilter's automatic connection tracking helper assignment.
|
||||
## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel.
|
||||
##
|
||||
## https://conntrack-tools.netfilter.org/manual.html
|
||||
## https://forums.whonix.org/t/disable-conntrack-helper/18917
|
||||
##
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
@ -10,24 +10,26 @@
|
||||
|
||||
## Bluetooth:
|
||||
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||
#
|
||||
##
|
||||
## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
|
||||
#
|
||||
##
|
||||
#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
|
||||
#install btusb /usr/bin/disabled-bluetooth-by-security-misc
|
||||
|
||||
## CPU Model-Specific Registers (MSRs):
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
##
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
## https://github.com/Kicksecure/security-misc/issues/215
|
||||
#
|
||||
##
|
||||
#install msr /usr/bin/disabled-msr-by-security-misc
|
||||
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
|
||||
#
|
||||
##
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
@ -37,8 +39,9 @@ install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## FireWire (IEEE 1394):
|
||||
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
|
||||
#
|
||||
##
|
||||
install dv1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
@ -51,7 +54,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
|
||||
## Global Positioning Systems (GPS):
|
||||
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
|
||||
#
|
||||
##
|
||||
install gnss /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-mtk /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-serial /usr/bin/disabled-gps-by-security-misc
|
||||
@ -61,14 +64,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
|
||||
|
||||
## Intel Management Engine (ME):
|
||||
## Partially disable the Intel ME interface with the OS.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
|
||||
#
|
||||
##
|
||||
install mei /usr/bin/disabled-intelme-by-security-misc
|
||||
install mei-me /usr/bin/disabled-intelme-by-security-misc
|
||||
|
||||
## Network File Systems:
|
||||
## Disable uncommon network file systems to reduce attack surface.
|
||||
#
|
||||
##
|
||||
install cifs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
|
||||
@ -78,10 +82,11 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
|
||||
## Network Protocols:
|
||||
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
|
||||
##
|
||||
## https://tails.boum.org/blueprint/blacklist_modules/
|
||||
## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
|
||||
#
|
||||
##
|
||||
install af_802154 /usr/bin/disabled-network-by-security-misc
|
||||
install appletalk /usr/bin/disabled-network-by-security-misc
|
||||
install atm /usr/bin/disabled-network-by-security-misc
|
||||
@ -103,17 +108,19 @@ install tipc /usr/bin/disabled-network-by-security-misc
|
||||
install x25 /usr/bin/disabled-network-by-security-misc
|
||||
|
||||
## Miscellaneous:
|
||||
#
|
||||
##
|
||||
## Vivid:
|
||||
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
|
||||
##
|
||||
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
||||
## https://www.openwall.com/lists/oss-security/2019/11/02/1
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
#
|
||||
##
|
||||
install vivid /usr/bin/disabled-vivid-by-security-misc
|
||||
|
||||
## Thunderbolt:
|
||||
## Disables Thunderbolt modules to prevent some DMA attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
|
||||
#
|
||||
##
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user