Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-04-26 23:39:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'Kicksecure:master' into harden

Browse Source
This commit is contained in:
Raja Grewal 2022-07-18 13:36:23 +00:00 committed by GitHub
commit c4a1094760
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 502 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -89,15 +89,24 @@ TLB invalidation so devices will never be able to access stale data contents.
* Distrust the 'randomly' generated CPU and bootloader seeds. * Distrust the 'randomly' generated CPU and bootloader seeds.
### Blacklisted kernel modules ### Disables and blacklists kernel modules
Certain kernel modules are blacklisted to reduce attack surface via the Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the
`/etc/modprobe.d/30_security-misc.conf` configuration file. `/etc/modprobe.d/30_security-misc.conf` configuration file.
* Deactivates Netfilter's connection tracking helper - this module * Deactivates Netfilter's connection tracking helper - this module
increases kernel attack surface by enabling superfluous functionality increases kernel attack surface by enabling superfluous functionality
such as IRC parsing in the kernel. Hence, this feature is disabled. such as IRC parsing in the kernel. Hence, this feature is disabled.
* Bluetooth is disabled to reduce attack surface. Bluetooth has
a lengthy history of security concerns.
* Thunderbolt and numerous FireWire kernel modules are also disabled as they are
often vulnerable to DMA attacks.
* The MSR kernel module is disabled to prevent CPU MSRs from being
abused to write to arbitrary memory.
* Uncommon network protocols are blacklisted. This includes: * Uncommon network protocols are blacklisted. This includes:
DCCP - Datagram Congestion Control Protocol DCCP - Datagram Congestion Control Protocol
@ -138,17 +147,16 @@ such as IRC parsing in the kernel. Hence, this feature is disabled.
ATM ATM
* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has * Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
a history of security concerns.
* The Thunderbolt and FireWire kernel modules are blacklisted as they are
often vulnerable to DMA attacks.
* The vivid kernel module is only required for testing and has been the cause * The vivid kernel module is only required for testing and has been the cause
of multiple vulnerabilities so it is blacklisted. of multiple vulnerabilities so it is disabled.
* The MSR kernel module is blacklisted to prevent CPU MSRs from being * Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
abused to write to arbitrary memory.
* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load.
* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet.
### Other ### Other

10
bin/disabled-bluetooth-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-cdrom-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-filesys-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-firewire-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-intelme-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-msr-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-netfilesys-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-network-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-thunderbolt-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

10
bin/disabled-vivid-by-security-misc Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

221
changelog.upstream
View File

@ -1,3 +1,218 @@
commit 1fafb5f53bbec57812f535e79bfb475628cc58e3
Merge: 24d6a93 27aa523
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri Jul 15 08:09:16 2022 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit 27aa5231e2d1dafd89ba19c8d6becf461e781605
Merge: 24d6a93 a72bbb1
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri Jul 15 08:06:08 2022 -0400
Merge pull request #112 from raja-grewal/blacklist
Corrected kernel module disabling
commit a72bbb1883613ee56be29949c153e0edb2d72a29
Author: Raja Grewal <rg_public@proton.me>
Date: Wed Jul 13 23:42:13 2022 +1000
Corrected kerenl module disabling
commit 24d6a93eacf5b41cfb9133471049776a16a07b03
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Jul 13 08:28:34 2022 -0400
bumped changelog version
commit 8f31e5d1d172eb117bde63702f63081da182d5c5
Merge: 6aa9a94 c410890
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Jul 13 07:26:58 2022 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit c410890a8ade6d4be13dc99a7003f03ebded8153
Merge: 6aa9a94 fe0cc10
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Jul 13 07:24:12 2022 -0400
Merge pull request #110 from raja-grewal/master
Incorporated Ubuntus kernel module blacklists and more verbose errors
commit fe0cc1089086273794bd6b54df3528ff78c10f6a
Author: Raja Grewal <rg_public@proton.me>
Date: Tue Jul 12 17:18:47 2022 +1000
Updated README.md
commit 48089e5ba43b0b72449f888b98b63119ed57e2fd
Author: Raja Grewal <rg_public@proton.me>
Date: Tue Jul 12 17:02:12 2022 +1000
More verbose kernel module blocking error logs
commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08
Author: Raja Grewal <rg_public@proton.me>
Date: Tue Jul 12 16:58:16 2022 +1000
Updated comments
commit ef1ef9917d896f1cd837f399def6a75704e9bfd2
Author: Raja Grewal <rg_public@proton.me>
Date: Sun Jul 10 04:53:25 2022 +1000
Blacklist automatic loading of CD-ROM modules
commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc
Author: Raja Grewal <rg_public@proton.me>
Date: Sun Jul 10 04:52:00 2022 +1000
Incorporated Ubuntus kernel module blacklists
commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:42:24 2022 -0400
bumped changelog version
commit 3b844eaab25fecf90292c88291be77abf0be694c
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:42:11 2022 -0400
output
commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:40:15 2022 -0400
output
commit adfdac6dea0e8f971c59557b383d116cd51619fd
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:40:01 2022 -0400
output
commit 1df2cfd1add8b2277cb37499ced4fbb713c17668
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:38:37 2022 -0400
comment
commit fede41e6e03c33f2f6569f03593f76edb9969e6a
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:38:04 2022 -0400
fix
commit 52c46e4706d5799d452f260616a3909c9a3bc78f
Merge: 1b8500c dc41a58
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:37:41 2022 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit dc41a58102a114e21209aabeef9ad6b851365898
Merge: 1b8500c e5f8004
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 9 11:37:57 2022 -0400
Merge pull request #108 from Krish-sysadmin/master
Continue for loop if unable to change one directory's permission
commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 17:41:13 2022 -0400
bumped changelog version
commit 277749f27b2da8d33b70fb6f88c6757fab77e636
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 15:49:08 2022 -0400
genmkfile debinstfile
commit eb8535fe870e79a5c818a38c414147819d32346d
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 15:48:39 2022 -0400
renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc
commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 15:39:40 2022 -0400
not blacklist CD-ROM / DVD yet
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
commit d5c16503411bee4199c35a51226fc59924d6e142
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 15:28:09 2022 -0400
shuffle
commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 15:27:15 2022 -0400
shuffle
commit d018bdaf73e109a61c0687a171af843c890729e0
Merge: 1b287a6 780dc8e
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu Jul 7 15:26:08 2022 -0400
Merge remote-tracking branch 'raja-gerwal/master'
commit 780dc8eec99915a7466249e219ad59c5db5f0364
Author: Raja Grewal <rg_public@proton.me>
Date: Fri Jul 8 04:11:25 2022 +1000
replace /bin/false -> /bin/disabled-by-security-misc
commit fa2e30f5125e438250acfdc52107a936ecb7b1b4
Author: Raja Grewal <rg_public@proton.me>
Date: Fri Jul 8 03:04:37 2022 +1000
Updated descriptions of disabled modules
commit da389d6682f6eb1d0c0172c50a4b529152384415
Author: Raja Grewal <rg_public@proton.me>
Date: Fri Jul 8 02:12:04 2022 +1000
Revert "replace /bin/false -> /bin/true"
This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788.
commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb
Author: raja-grewal <rg_public@proton.me>
Date: Thu Jul 7 09:28:30 2022 +0000
Update README.md
commit f0511635a9725f79863c41a7b8d9f8a077ba8788
Author: raja-grewal <rg_public@proton.me>
Date: Thu Jul 7 09:27:53 2022 +0000
replace /bin/false -> /bin/true
commit 18d67dbc5309a2403bece92881e671f46dc27f86
Author: raja-grewal <rg_public@proton.me>
Date: Thu Jul 7 09:26:55 2022 +0000
Blacklist more modules
commit 1b287a6430527c762f9bf909bcda58ab52041668
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue Jul 5 11:16:33 2022 -0400
bumped changelog version
commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564
Author: Patrick Schleizer <adrelanos@whonix.org> Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue Jul 5 11:05:36 2022 -0400 Date: Tue Jul 5 11:05:36 2022 -0400
@ -52,6 +267,12 @@ Date: Tue Jul 5 10:28:22 2022 -0400
add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg`
commit e5f8004a9401727f1be2db492ea756bc19090866
Author: Krish-sysadmin <kjain@fedoraproject.org>
Date: Tue Jul 5 03:37:40 2022 +0200
Update hide-hardware-info
commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876
Author: Patrick Schleizer <adrelanos@whonix.org> Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jul 2 19:10:55 2022 -0400 Date: Sat Jul 2 19:10:55 2022 -0400

24
debian/changelog vendored
View File

@ -1,3 +1,27 @@
security-misc (3:25.4-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Sat, 16 Jul 2022 12:00:16 +0000
security-misc (3:25.3-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 13 Jul 2022 12:28:34 +0000
security-misc (3:25.2-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Sat, 09 Jul 2022 15:42:24 +0000
security-misc (3:25.1-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Thu, 07 Jul 2022 21:41:13 +0000
security-misc (3:25.0-1) unstable; urgency=medium security-misc (3:25.0-1) unstable; urgency=medium
* New upstream version (local package). * New upstream version (local package).

3
debian/security-misc.install vendored
View File

@ -1,8 +1,9 @@
## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> ## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## This file was generated using genmkfile 'make debinstfile'. ## This file was generated using 'genmkfile debinstfile'.
bin/*
etc/* etc/*
lib/* lib/*
usr/* usr/*

177
etc/modprobe.d/30_security-misc.conf
View File

@ -1,60 +1,145 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## See the following links for a community discussion and overview regarding the selections
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
## Disable automatic conntrack helper assignment
## https://phabricator.whonix.org/T486 ## https://phabricator.whonix.org/T486
options nf_conntrack nf_conntrack_helper=0 options nf_conntrack nf_conntrack_helper=0
# Blacklists bluetooth to reduce attack surface. ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
# Bluetooth also has a history of security vulnerabilities: ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
# install bluetooth /bin/disabled-bluetooth-by-security-misc
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install btusb /bin/disabled-bluetooth-by-security-misc
install bluetooth /bin/false
install btusb /bin/false
# Blacklist thunderbolt and firewire to prevent some DMA attacks. ## Disable thunderbolt and firewire modules to prevent some DMA attacks
install firewire-core /bin/false install thunderbolt /bin/disabled-thunderbolt-by-security-misc
install thunderbolt /bin/false install firewire-core /bin/disabled-firewire-by-security-misc
install firewire_core /bin/disabled-firewire-by-security-misc
install firewire-ohci /bin/disabled-firewire-by-security-misc
install firewire_ohci /bin/disabled-firewire-by-security-misc
install firewire_sbp2 /bin/disabled-firewire-by-security-misc
install firewire-sbp2 /bin/disabled-firewire-by-security-misc
install ohci1394 /bin/disabled-firewire-by-security-misc
install sbp2 /bin/disabled-firewire-by-security-misc
install dv1394 /bin/disabled-firewire-by-security-misc
install raw1394 /bin/disabled-firewire-by-security-misc
install video1394 /bin/disabled-firewire-by-security-misc
# Blacklist CPU MSRs as they can be abused to write to ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
# arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
install msr /bin/false install msr /bin/disabled-msr-by-security-misc
# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
# ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
# ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. install dccp /bin/disabled-network-by-security-misc
# install sctp /bin/disabled-network-by-security-misc
# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. install rds /bin/disabled-network-by-security-misc
# install tipc /bin/disabled-network-by-security-misc
install dccp /bin/false install n-hdlc /bin/disabled-network-by-security-misc
install sctp /bin/false install ax25 /bin/disabled-network-by-security-misc
install rds /bin/false install netrom /bin/disabled-network-by-security-misc
install tipc /bin/false install x25 /bin/disabled-network-by-security-misc
install n-hdlc /bin/false install rose /bin/disabled-network-by-security-misc
install ax25 /bin/false install decnet /bin/disabled-network-by-security-misc
install netrom /bin/false install econet /bin/disabled-network-by-security-misc
install x25 /bin/false install af_802154 /bin/disabled-network-by-security-misc
install rose /bin/false install ipx /bin/disabled-network-by-security-misc
install decnet /bin/false install appletalk /bin/disabled-network-by-security-misc
install econet /bin/false install psnap /bin/disabled-network-by-security-misc
install af_802154 /bin/false install p8023 /bin/disabled-network-by-security-misc
install ipx /bin/false install p8022 /bin/disabled-network-by-security-misc
install appletalk /bin/false install can /bin/disabled-network-by-security-misc
install psnap /bin/false install atm /bin/disabled-network-by-security-misc
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false
# Disable uncommon filesystems to reduce attack surface ## Disable uncommon file systems to reduce attack surface
install cramfs /bin/false install cramfs /bin/disabled-filesys-by-security-misc
install udf /bin/false install freevxfs /bin/disabled-filesys-by-security-misc
install jffs2 /bin/disabled-filesys-by-security-misc
install hfs /bin/disabled-filesys-by-security-misc
install hfsplus /bin/disabled-filesys-by-security-misc
install udf /bin/disabled-filesys-by-security-misc
## Blacklists the vivid kernel module as it's only required for ## Disable uncommon network file systems to reduce attack surface
## testing and has been the cause of multiple vulnerabilities. install cifs /bin/disabled-netfilesys-by-security-misc
## install nfs /bin/disabled-netfilesys-by-security-misc
install nfsv3 /bin/disabled-netfilesys-by-security-misc
install nfsv4 /bin/disabled-netfilesys-by-security-misc
install ksmbd /bin/disabled-netfilesys-by-security-misc
install gfs2 /bin/disabled-netfilesys-by-security-misc
## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
install vivid /bin/false install vivid /bin/disabled-vivid-by-security-misc
## Disable Intel Management Engine (ME) interface with the OS
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
install mei /bin/disabled-intelme-by-security-misc
install mei-me /bin/disabled-intelme-by-security-misc
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
blacklist ath_pci
## Blacklist automatic loading of miscellaneous modules
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
blacklist evbug
blacklist usbmouse
blacklist usbkbd
blacklist eepro100
blacklist de4x5
blacklist eth1394
blacklist snd_intel8x0m
blacklist snd_aw2
blacklist prism54
blacklist bcm43xx
blacklist garmin_gps
blacklist asus_acpi
blacklist snd_pcsp
blacklist pcspkr
blacklist amd76x_edac
## Blacklist automatic loading of framebuffer drivers
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
blacklist aty128fb
blacklist atyfb
#blacklist radeonfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist i810fb
#blacklist intelfb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_bases
blacklist neofb
#blacklist nvidiafb
blacklist pm2fb
blacklist rivafb
blacklist s1d13xxxfb
blacklist savagefb
blacklist sisfb
blacklist sstfb
blacklist tdfxfb
blacklist tridentfb
#blacklist vesafb
blacklist vfb
blacklist viafb
blacklist vt8623fb
blacklist udlfb
## Disable CD-ROM devices
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
#install cdrom /bin/disabled-cdrom-by-security-misc
#install sr_mod /bin/disabled-cdrom-by-security-misc
blacklist cdrom
blacklist sr_mod

10
usr/libexec/security-misc/hide-hardware-info
View File

@ -80,22 +80,24 @@ do
fi fi
done done
## https://www.whonix.org/wiki/Security-misc#selinux
##
## on SELinux systems, at least /sys/fs/selinux ## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else ## must be visible to unprivileged users, else
## SELinux userspace utilities will not function ## SELinux userspace utilities will not function
## properly ## properly
if [ -d /sys/fs/selinux ]; then if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then if [ "${selinux}" = "1" ]; then
## restrict permissions on everything but ## restrict permissions on everything but
## what is needed ## what is needed
for i in /sys/* /sys/fs/* for i in /sys/* /sys/fs/*
do do
## Using '|| true':
## https://github.com/Kicksecure/security-misc/pull/108
if [ "${sysfs_whitelist}" = "1" ]; then if [ "${sysfs_whitelist}" = "1" ]; then
chmod o-rwx "${i}" chmod o-rwx "${i}" || true
else else
chmod og-rwx "${i}" chmod og-rwx "${i}" || true
fi fi
done done
chmod o+rx /sys /sys/fs /sys/fs/selinux chmod o+rx /sys /sys/fs /sys/fs/selinux