From b02230a783941da412be72fb52053db0c6b8010f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:42:37 +1000 Subject: [PATCH] Split modprobe into blacklisted and disabled configurations --- README.md | 7 +- debian/security-misc.maintscript | 2 +- .../30_security-misc_blacklist.conf | 80 +++++++++++++++++++ ...isc.conf => 30_security-misc_disable.conf} | 71 ---------------- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/disabled-vivid-by-security-misc | 3 +- 14 files changed, 96 insertions(+), 85 deletions(-) create mode 100644 etc/modprobe.d/30_security-misc_blacklist.conf rename etc/modprobe.d/{30_security-misc.conf => 30_security-misc_disable.conf} (77%) diff --git a/README.md b/README.md index 5c9df4a..7601260 100644 --- a/README.md +++ b/README.md @@ -122,10 +122,11 @@ preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. -#### Disables and blacklists kernel modules +#### Blacklist and disable kernel modules -Certain kernel modules are disabled and blacklisted by default to reduce attack -surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. +Certain kernel modules are blacklisted and disabled by default to reduce attack +surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and +`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. - Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f64e762..4279cf2 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 1 file /etc/modprobe.d/30_security-misc.conf +## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf new file mode 100644 index 0000000..f516fe2 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -0,0 +1,80 @@ +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections. +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Conntrack: +## Disable automatic conntrack helper assignment. +## https://phabricator.whonix.org/T486 +# +options nf_conntrack nf_conntrack_helper=0 + +## Framebuffer Drivers: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# +blacklist aty128fb +blacklist atyfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_bases +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist radeonfb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc_disable.conf similarity index 77% rename from etc/modprobe.d/30_security-misc.conf rename to etc/modprobe.d/30_security-misc_disable.conf index a4e8baa..0a676d1 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,77 +8,6 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Do not disable by default for potential future ISO plans. -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -# -blacklist cdrom -blacklist sr_mod -# -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Connection Tracking: -## Disable automatic conntrack helper assignment. -## https://phabricator.whonix.org/T486 -# -options nf_conntrack nf_conntrack_helper=0 - -## Framebuffer Drivers: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -# -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - -## Miscellaneous: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -# -blacklist ath_pci -blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 -blacklist evbug -blacklist de4x5 -blacklist garmin_gps -blacklist pcspkr -blacklist prism54 -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse - ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 8091b45..7e011e3 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 13e4592..55f4b0c 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index b5b2426..6c7dd5a 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index dbcc7ce..cbde5d1 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 90b7076..f1a24bf 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 47bdcb1..0913fcf 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index e62f0c0..bbb57a8 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index f00086e..8035522 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index d153ceb..98f0840 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index aa7c639..4a9855e 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,6 +5,7 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable +.conf | args: $@" >&2 exit 1