mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-08-03 03:26:21 -04:00
Split modprobe into blacklisted and disabled configurations
This commit is contained in:
parent
fc792ff232
commit
b02230a783
14 changed files with 96 additions and 85 deletions
80
etc/modprobe.d/30_security-misc_blacklist.conf
Normal file
80
etc/modprobe.d/30_security-misc_blacklist.conf
Normal file
|
@ -0,0 +1,80 @@
|
|||
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## See the following links for a community discussion and overview regarding the selections.
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
|
||||
|
||||
## Blacklisting prevents kernel modules from automatically starting.
|
||||
## Disabling prohibits kernel modules from starting.
|
||||
|
||||
## CD-ROM/DVD:
|
||||
## Blacklist CD-ROM and DVD modules.
|
||||
## Do not disable by default for potential future ISO plans.
|
||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||
#
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
#
|
||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
|
||||
## Conntrack:
|
||||
## Disable automatic conntrack helper assignment.
|
||||
## https://phabricator.whonix.org/T486
|
||||
#
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
|
||||
## Framebuffer Drivers:
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
#
|
||||
blacklist aty128fb
|
||||
blacklist atyfb
|
||||
blacklist cirrusfb
|
||||
blacklist cyber2000fb
|
||||
blacklist cyblafb
|
||||
blacklist gx1fb
|
||||
blacklist hgafb
|
||||
blacklist i810fb
|
||||
blacklist intelfb
|
||||
blacklist kyrofb
|
||||
blacklist lxfb
|
||||
blacklist matroxfb_bases
|
||||
blacklist neofb
|
||||
blacklist nvidiafb
|
||||
blacklist pm2fb
|
||||
blacklist radeonfb
|
||||
blacklist rivafb
|
||||
blacklist s1d13xxxfb
|
||||
blacklist savagefb
|
||||
blacklist sisfb
|
||||
blacklist sstfb
|
||||
blacklist tdfxfb
|
||||
blacklist tridentfb
|
||||
blacklist vesafb
|
||||
blacklist vfb
|
||||
blacklist viafb
|
||||
blacklist vt8623fb
|
||||
blacklist udlfb
|
||||
|
||||
## Miscellaneous:
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
#
|
||||
blacklist ath_pci
|
||||
blacklist amd76x_edac
|
||||
blacklist asus_acpi
|
||||
blacklist bcm43xx
|
||||
blacklist eepro100
|
||||
blacklist eth1394
|
||||
blacklist evbug
|
||||
blacklist de4x5
|
||||
blacklist garmin_gps
|
||||
blacklist pcspkr
|
||||
blacklist prism54
|
||||
blacklist snd_aw2
|
||||
blacklist snd_intel8x0m
|
||||
blacklist snd_pcsp
|
||||
blacklist usbkbd
|
||||
blacklist usbmouse
|
|
@ -8,77 +8,6 @@
|
|||
## Blacklisting prevents kernel modules from automatically starting.
|
||||
## Disabling prohibits kernel modules from starting.
|
||||
|
||||
## CD-ROM/DVD:
|
||||
## Blacklist CD-ROM and DVD modules.
|
||||
## Do not disable by default for potential future ISO plans.
|
||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||
#
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
#
|
||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
|
||||
## Connection Tracking:
|
||||
## Disable automatic conntrack helper assignment.
|
||||
## https://phabricator.whonix.org/T486
|
||||
#
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
|
||||
## Framebuffer Drivers:
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
#
|
||||
blacklist aty128fb
|
||||
blacklist atyfb
|
||||
blacklist cirrusfb
|
||||
blacklist cyber2000fb
|
||||
blacklist cyblafb
|
||||
blacklist gx1fb
|
||||
blacklist hgafb
|
||||
blacklist i810fb
|
||||
blacklist intelfb
|
||||
blacklist kyrofb
|
||||
blacklist lxfb
|
||||
blacklist matroxfb_bases
|
||||
blacklist neofb
|
||||
blacklist nvidiafb
|
||||
blacklist pm2fb
|
||||
blacklist radeonfb
|
||||
blacklist rivafb
|
||||
blacklist s1d13xxxfb
|
||||
blacklist savagefb
|
||||
blacklist sisfb
|
||||
blacklist sstfb
|
||||
blacklist tdfxfb
|
||||
blacklist tridentfb
|
||||
blacklist vesafb
|
||||
blacklist vfb
|
||||
blacklist viafb
|
||||
blacklist vt8623fb
|
||||
blacklist udlfb
|
||||
|
||||
## Miscellaneous:
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
#
|
||||
blacklist ath_pci
|
||||
blacklist amd76x_edac
|
||||
blacklist asus_acpi
|
||||
blacklist bcm43xx
|
||||
blacklist eepro100
|
||||
blacklist eth1394
|
||||
blacklist evbug
|
||||
blacklist de4x5
|
||||
blacklist garmin_gps
|
||||
blacklist pcspkr
|
||||
blacklist prism54
|
||||
blacklist snd_aw2
|
||||
blacklist snd_intel8x0m
|
||||
blacklist snd_pcsp
|
||||
blacklist usbkbd
|
||||
blacklist usbmouse
|
||||
|
||||
## Bluetooth:
|
||||
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
||||
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
Loading…
Add table
Add a link
Reference in a new issue