mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 15:59:24 -05:00
Split modprobe into blacklisted and disabled configurations
This commit is contained in:
parent
fc792ff232
commit
b02230a783
@ -122,10 +122,11 @@ preventing new modules from being loaded. Since this isn't configured directly
|
|||||||
within systemctl, it does not break the loading of legitimate and necessary
|
within systemctl, it does not break the loading of legitimate and necessary
|
||||||
modules for the user, like drivers etc., given they are plugged in on startup.
|
modules for the user, like drivers etc., given they are plugged in on startup.
|
||||||
|
|
||||||
#### Disables and blacklists kernel modules
|
#### Blacklist and disable kernel modules
|
||||||
|
|
||||||
Certain kernel modules are disabled and blacklisted by default to reduce attack
|
Certain kernel modules are blacklisted and disabled by default to reduce attack
|
||||||
surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file.
|
surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and
|
||||||
|
`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively.
|
||||||
|
|
||||||
- Deactivates Netfilter's connection tracking helper - this module increases
|
- Deactivates Netfilter's connection tracking helper - this module increases
|
||||||
kernel attack surface by enabling superfluous functionality such as IRC
|
kernel attack surface by enabling superfluous functionality such as IRC
|
||||||
|
2
debian/security-misc.maintscript
vendored
2
debian/security-misc.maintscript
vendored
@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
|
|||||||
rm_conffile /etc/sysctl.d/tcp_hardening.conf
|
rm_conffile /etc/sysctl.d/tcp_hardening.conf
|
||||||
rm_conffile /etc/sysctl.d/tcp_sack.conf
|
rm_conffile /etc/sysctl.d/tcp_sack.conf
|
||||||
|
|
||||||
## merged into 1 file /etc/modprobe.d/30_security-misc.conf
|
## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
|
||||||
rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
|
rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
|
||||||
rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
|
rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
|
||||||
rm_conffile /etc/modprobe.d/vivid.conf
|
rm_conffile /etc/modprobe.d/vivid.conf
|
||||||
|
80
etc/modprobe.d/30_security-misc_blacklist.conf
Normal file
80
etc/modprobe.d/30_security-misc_blacklist.conf
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
## See the following links for a community discussion and overview regarding the selections.
|
||||||
|
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
|
||||||
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
|
||||||
|
|
||||||
|
## Blacklisting prevents kernel modules from automatically starting.
|
||||||
|
## Disabling prohibits kernel modules from starting.
|
||||||
|
|
||||||
|
## CD-ROM/DVD:
|
||||||
|
## Blacklist CD-ROM and DVD modules.
|
||||||
|
## Do not disable by default for potential future ISO plans.
|
||||||
|
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||||
|
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||||
|
#
|
||||||
|
blacklist cdrom
|
||||||
|
blacklist sr_mod
|
||||||
|
#
|
||||||
|
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||||
|
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||||
|
|
||||||
|
## Conntrack:
|
||||||
|
## Disable automatic conntrack helper assignment.
|
||||||
|
## https://phabricator.whonix.org/T486
|
||||||
|
#
|
||||||
|
options nf_conntrack nf_conntrack_helper=0
|
||||||
|
|
||||||
|
## Framebuffer Drivers:
|
||||||
|
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||||
|
#
|
||||||
|
blacklist aty128fb
|
||||||
|
blacklist atyfb
|
||||||
|
blacklist cirrusfb
|
||||||
|
blacklist cyber2000fb
|
||||||
|
blacklist cyblafb
|
||||||
|
blacklist gx1fb
|
||||||
|
blacklist hgafb
|
||||||
|
blacklist i810fb
|
||||||
|
blacklist intelfb
|
||||||
|
blacklist kyrofb
|
||||||
|
blacklist lxfb
|
||||||
|
blacklist matroxfb_bases
|
||||||
|
blacklist neofb
|
||||||
|
blacklist nvidiafb
|
||||||
|
blacklist pm2fb
|
||||||
|
blacklist radeonfb
|
||||||
|
blacklist rivafb
|
||||||
|
blacklist s1d13xxxfb
|
||||||
|
blacklist savagefb
|
||||||
|
blacklist sisfb
|
||||||
|
blacklist sstfb
|
||||||
|
blacklist tdfxfb
|
||||||
|
blacklist tridentfb
|
||||||
|
blacklist vesafb
|
||||||
|
blacklist vfb
|
||||||
|
blacklist viafb
|
||||||
|
blacklist vt8623fb
|
||||||
|
blacklist udlfb
|
||||||
|
|
||||||
|
## Miscellaneous:
|
||||||
|
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
||||||
|
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||||
|
#
|
||||||
|
blacklist ath_pci
|
||||||
|
blacklist amd76x_edac
|
||||||
|
blacklist asus_acpi
|
||||||
|
blacklist bcm43xx
|
||||||
|
blacklist eepro100
|
||||||
|
blacklist eth1394
|
||||||
|
blacklist evbug
|
||||||
|
blacklist de4x5
|
||||||
|
blacklist garmin_gps
|
||||||
|
blacklist pcspkr
|
||||||
|
blacklist prism54
|
||||||
|
blacklist snd_aw2
|
||||||
|
blacklist snd_intel8x0m
|
||||||
|
blacklist snd_pcsp
|
||||||
|
blacklist usbkbd
|
||||||
|
blacklist usbmouse
|
@ -8,77 +8,6 @@
|
|||||||
## Blacklisting prevents kernel modules from automatically starting.
|
## Blacklisting prevents kernel modules from automatically starting.
|
||||||
## Disabling prohibits kernel modules from starting.
|
## Disabling prohibits kernel modules from starting.
|
||||||
|
|
||||||
## CD-ROM/DVD:
|
|
||||||
## Blacklist CD-ROM and DVD modules.
|
|
||||||
## Do not disable by default for potential future ISO plans.
|
|
||||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
|
||||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
|
||||||
#
|
|
||||||
blacklist cdrom
|
|
||||||
blacklist sr_mod
|
|
||||||
#
|
|
||||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
|
||||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
|
||||||
|
|
||||||
## Connection Tracking:
|
|
||||||
## Disable automatic conntrack helper assignment.
|
|
||||||
## https://phabricator.whonix.org/T486
|
|
||||||
#
|
|
||||||
options nf_conntrack nf_conntrack_helper=0
|
|
||||||
|
|
||||||
## Framebuffer Drivers:
|
|
||||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
|
||||||
#
|
|
||||||
blacklist aty128fb
|
|
||||||
blacklist atyfb
|
|
||||||
blacklist cirrusfb
|
|
||||||
blacklist cyber2000fb
|
|
||||||
blacklist cyblafb
|
|
||||||
blacklist gx1fb
|
|
||||||
blacklist hgafb
|
|
||||||
blacklist i810fb
|
|
||||||
blacklist intelfb
|
|
||||||
blacklist kyrofb
|
|
||||||
blacklist lxfb
|
|
||||||
blacklist matroxfb_bases
|
|
||||||
blacklist neofb
|
|
||||||
blacklist nvidiafb
|
|
||||||
blacklist pm2fb
|
|
||||||
blacklist radeonfb
|
|
||||||
blacklist rivafb
|
|
||||||
blacklist s1d13xxxfb
|
|
||||||
blacklist savagefb
|
|
||||||
blacklist sisfb
|
|
||||||
blacklist sstfb
|
|
||||||
blacklist tdfxfb
|
|
||||||
blacklist tridentfb
|
|
||||||
blacklist vesafb
|
|
||||||
blacklist vfb
|
|
||||||
blacklist viafb
|
|
||||||
blacklist vt8623fb
|
|
||||||
blacklist udlfb
|
|
||||||
|
|
||||||
## Miscellaneous:
|
|
||||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
|
||||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
|
||||||
#
|
|
||||||
blacklist ath_pci
|
|
||||||
blacklist amd76x_edac
|
|
||||||
blacklist asus_acpi
|
|
||||||
blacklist bcm43xx
|
|
||||||
blacklist eepro100
|
|
||||||
blacklist eth1394
|
|
||||||
blacklist evbug
|
|
||||||
blacklist de4x5
|
|
||||||
blacklist garmin_gps
|
|
||||||
blacklist pcspkr
|
|
||||||
blacklist prism54
|
|
||||||
blacklist snd_aw2
|
|
||||||
blacklist snd_intel8x0m
|
|
||||||
blacklist snd_pcsp
|
|
||||||
blacklist usbkbd
|
|
||||||
blacklist usbmouse
|
|
||||||
|
|
||||||
## Bluetooth:
|
## Bluetooth:
|
||||||
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
||||||
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
|
|
||||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||||
|
|
||||||
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable
|
||||||
|
.conf | args: $@" >&2
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
Loading…
Reference in New Issue
Block a user