Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-08-06 11:44:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'Kicksecure:master' into harden

Browse source
This commit is contained in:
Raja Grewal 2022-07-18 13:36:23 +00:00 committed by GitHub
commit c4a1094760
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 502 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

28
README.md
View file

@ -89,15 +89,24 @@ TLB invalidation so devices will never be able to access stale data contents.
* Distrust the 'randomly' generated CPU and bootloader seeds.
### Blacklisted kernel modules
### Disables and blacklists kernel modules
Certain kernel modules are blacklisted to reduce attack surface via the
Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the
`/etc/modprobe.d/30_security-misc.conf` configuration file.
* Deactivates Netfilter's connection tracking helper - this module
increases kernel attack surface by enabling superfluous functionality
such as IRC parsing in the kernel. Hence, this feature is disabled.
* Bluetooth is disabled to reduce attack surface. Bluetooth has
a lengthy history of security concerns.
* Thunderbolt and numerous FireWire kernel modules are also disabled as they are
often vulnerable to DMA attacks.
* The MSR kernel module is disabled to prevent CPU MSRs from being
abused to write to arbitrary memory.
* Uncommon network protocols are blacklisted. This includes:
DCCP - Datagram Congestion Control Protocol
@ -138,17 +147,16 @@ such as IRC parsing in the kernel. Hence, this feature is disabled.
ATM
* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has
a history of security concerns.
* The Thunderbolt and FireWire kernel modules are blacklisted as they are
often vulnerable to DMA attacks.
* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
* The vivid kernel module is only required for testing and has been the cause
of multiple vulnerabilities so it is blacklisted.
of multiple vulnerabilities so it is disabled.
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
abused to write to arbitrary memory.
* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load.
* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet.
### Other