Split modprobe into blacklisted and disabled configurations

This commit is contained in:
Raja Grewal 2024-07-12 02:42:37 +10:00
parent fc792ff232
commit b02230a783
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
14 changed files with 96 additions and 85 deletions

View File

@ -122,10 +122,11 @@ preventing new modules from being loaded. Since this isn't configured directly
within systemctl, it does not break the loading of legitimate and necessary within systemctl, it does not break the loading of legitimate and necessary
modules for the user, like drivers etc., given they are plugged in on startup. modules for the user, like drivers etc., given they are plugged in on startup.
#### Disables and blacklists kernel modules #### Blacklist and disable kernel modules
Certain kernel modules are disabled and blacklisted by default to reduce attack Certain kernel modules are blacklisted and disabled by default to reduce attack
surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and
`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively.
- Deactivates Netfilter's connection tracking helper - this module increases - Deactivates Netfilter's connection tracking helper - this module increases
kernel attack surface by enabling superfluous functionality such as IRC kernel attack surface by enabling superfluous functionality such as IRC

View File

@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf
rm_conffile /etc/sysctl.d/tcp_sack.conf rm_conffile /etc/sysctl.d/tcp_sack.conf
## merged into 1 file /etc/modprobe.d/30_security-misc.conf ## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
rm_conffile /etc/modprobe.d/vivid.conf rm_conffile /etc/modprobe.d/vivid.conf

View File

@ -0,0 +1,80 @@
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## See the following links for a community discussion and overview regarding the selections.
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
## Blacklisting prevents kernel modules from automatically starting.
## Disabling prohibits kernel modules from starting.
## CD-ROM/DVD:
## Blacklist CD-ROM and DVD modules.
## Do not disable by default for potential future ISO plans.
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
#
blacklist cdrom
blacklist sr_mod
#
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
## Conntrack:
## Disable automatic conntrack helper assignment.
## https://phabricator.whonix.org/T486
#
options nf_conntrack nf_conntrack_helper=0
## Framebuffer Drivers:
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
#
blacklist aty128fb
blacklist atyfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist i810fb
blacklist intelfb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_bases
blacklist neofb
blacklist nvidiafb
blacklist pm2fb
blacklist radeonfb
blacklist rivafb
blacklist s1d13xxxfb
blacklist savagefb
blacklist sisfb
blacklist sstfb
blacklist tdfxfb
blacklist tridentfb
blacklist vesafb
blacklist vfb
blacklist viafb
blacklist vt8623fb
blacklist udlfb
## Miscellaneous:
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
#
blacklist ath_pci
blacklist amd76x_edac
blacklist asus_acpi
blacklist bcm43xx
blacklist eepro100
blacklist eth1394
blacklist evbug
blacklist de4x5
blacklist garmin_gps
blacklist pcspkr
blacklist prism54
blacklist snd_aw2
blacklist snd_intel8x0m
blacklist snd_pcsp
blacklist usbkbd
blacklist usbmouse

View File

@ -8,77 +8,6 @@
## Blacklisting prevents kernel modules from automatically starting. ## Blacklisting prevents kernel modules from automatically starting.
## Disabling prohibits kernel modules from starting. ## Disabling prohibits kernel modules from starting.
## CD-ROM/DVD:
## Blacklist CD-ROM and DVD modules.
## Do not disable by default for potential future ISO plans.
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
#
blacklist cdrom
blacklist sr_mod
#
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
## Connection Tracking:
## Disable automatic conntrack helper assignment.
## https://phabricator.whonix.org/T486
#
options nf_conntrack nf_conntrack_helper=0
## Framebuffer Drivers:
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
#
blacklist aty128fb
blacklist atyfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist i810fb
blacklist intelfb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_bases
blacklist neofb
blacklist nvidiafb
blacklist pm2fb
blacklist radeonfb
blacklist rivafb
blacklist s1d13xxxfb
blacklist savagefb
blacklist sisfb
blacklist sstfb
blacklist tdfxfb
blacklist tridentfb
blacklist vesafb
blacklist vfb
blacklist viafb
blacklist vt8623fb
blacklist udlfb
## Miscellaneous:
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
#
blacklist ath_pci
blacklist amd76x_edac
blacklist asus_acpi
blacklist bcm43xx
blacklist eepro100
blacklist eth1394
blacklist evbug
blacklist de4x5
blacklist garmin_gps
blacklist pcspkr
blacklist prism54
blacklist snd_aw2
blacklist snd_intel8x0m
blacklist snd_pcsp
blacklist usbkbd
blacklist usbmouse
## Bluetooth: ## Bluetooth:
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,6 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
exit 1 exit 1

View File

@ -5,6 +5,7 @@
## Alerts the user that a kernel module failed to load due to it being blacklisted by default. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable
.conf | args: $@" >&2
exit 1 exit 1