mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-26 16:09:51 -05:00
Merge remote-tracking branch 'raja-gerwal/master'
This commit is contained in:
commit
d018bdaf73
@ -149,6 +149,11 @@ of multiple vulnerabilities so it is blacklisted.
|
||||
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
|
||||
abused to write to arbitrary memory.
|
||||
|
||||
* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
|
||||
|
||||
* Disables the use of CD-ROM devices by default.
|
||||
|
||||
* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
|
||||
### Other
|
||||
|
||||
* A systemd service clears the System.map file on boot as these contain kernel
|
||||
|
@ -1,25 +1,36 @@
|
||||
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## https://phabricator.whonix.org/T486
|
||||
# See the following links for a community discussion and overview regarding the selections
|
||||
# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
|
||||
|
||||
# Blacklist automatic conntrack helper assignment
|
||||
# https://phabricator.whonix.org/T486
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
|
||||
# Blacklists bluetooth to reduce attack surface.
|
||||
# Bluetooth also has a history of security vulnerabilities:
|
||||
#
|
||||
# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities
|
||||
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||
install bluetooth /bin/false
|
||||
install btusb /bin/false
|
||||
install bluetooth /bin/disabled-by-security-misc
|
||||
install btusb /bin/disabled-by-security-misc
|
||||
|
||||
# Blacklist thunderbolt and firewire to prevent some DMA attacks.
|
||||
install firewire-core /bin/false
|
||||
install thunderbolt /bin/false
|
||||
# Blacklist thunderbolt and firewire modules to prevent some DMA attacks
|
||||
install thunderbolt /bin/disabled-by-security-misc
|
||||
install firewire-core /bin/disabled-by-security-misc
|
||||
install firewire_core /bin/disabled-by-security-misc
|
||||
install firewire-ohci /bin/disabled-by-security-misc
|
||||
install firewire_ohci /bin/disabled-by-security-misc
|
||||
install ohci1394 /bin/disabled-by-security-misc
|
||||
install sbp2 /bin/disabled-by-security-misc
|
||||
install dv1394 /bin/disabled-by-security-misc
|
||||
install raw1394 /bin/disabled-by-security-misc
|
||||
install video1394 /bin/disabled-by-security-misc
|
||||
install firewire-sbp2 /bin/disabled-by-security-misc
|
||||
|
||||
# Blacklist CPU MSRs as they can be abused to write to
|
||||
# arbitrary memory.
|
||||
install msr /bin/false
|
||||
# Blacklist CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
install msr /bin/disabled-by-security-misc
|
||||
|
||||
# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
|
||||
# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
|
||||
#
|
||||
# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
|
||||
#
|
||||
@ -27,34 +38,54 @@ install msr /bin/false
|
||||
#
|
||||
# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
|
||||
#
|
||||
install dccp /bin/false
|
||||
install sctp /bin/false
|
||||
install rds /bin/false
|
||||
install tipc /bin/false
|
||||
install n-hdlc /bin/false
|
||||
install ax25 /bin/false
|
||||
install netrom /bin/false
|
||||
install x25 /bin/false
|
||||
install rose /bin/false
|
||||
install decnet /bin/false
|
||||
install econet /bin/false
|
||||
install af_802154 /bin/false
|
||||
install ipx /bin/false
|
||||
install appletalk /bin/false
|
||||
install psnap /bin/false
|
||||
install p8023 /bin/false
|
||||
install p8022 /bin/false
|
||||
install can /bin/false
|
||||
install atm /bin/false
|
||||
install dccp /bin/disabled-by-security-misc
|
||||
install sctp /bin/disabled-by-security-misc
|
||||
install rds /bin/disabled-by-security-misc
|
||||
install tipc /bin/disabled-by-security-misc
|
||||
install n-hdlc /bin/disabled-by-security-misc
|
||||
install ax25 /bin/disabled-by-security-misc
|
||||
install netrom /bin/disabled-by-security-misc
|
||||
install x25 /bin/disabled-by-security-misc
|
||||
install rose /bin/disabled-by-security-misc
|
||||
install decnet /bin/disabled-by-security-misc
|
||||
install econet /bin/disabled-by-security-misc
|
||||
install af_802154 /bin/disabled-by-security-misc
|
||||
install ipx /bin/disabled-by-security-misc
|
||||
install appletalk /bin/disabled-by-security-misc
|
||||
install psnap /bin/disabled-by-security-misc
|
||||
install p8023 /bin/disabled-by-security-misc
|
||||
install p8022 /bin/disabled-by-security-misc
|
||||
install can /bin/disabled-by-security-misc
|
||||
install atm /bin/disabled-by-security-misc
|
||||
|
||||
# Disable uncommon filesystems to reduce attack surface
|
||||
install cramfs /bin/false
|
||||
install udf /bin/false
|
||||
# Blacklist uncommon file systems to reduce attack surface
|
||||
install cramfs /bin/disabled-by-security-misc
|
||||
install freevxfs /bin/disabled-by-security-misc
|
||||
install jffs2 /bin/disabled-by-security-misc
|
||||
install hfs /bin/disabled-by-security-misc
|
||||
install hfsplus /bin/disabled-by-security-misc
|
||||
install udf /bin/disabled-by-security-misc
|
||||
|
||||
## Blacklists the vivid kernel module as it's only required for
|
||||
## testing and has been the cause of multiple vulnerabilities.
|
||||
##
|
||||
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
||||
## https://www.openwall.com/lists/oss-security/2019/11/02/1
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
install vivid /bin/false
|
||||
# Blacklist uncommon network file systems to reduce attack surface
|
||||
install cifs /bin/disabled-by-security-misc
|
||||
install nfs /bin/disabled-by-security-misc
|
||||
install nfsv3 /bin/disabled-by-security-misc
|
||||
install nfsv4 /bin/disabled-by-security-misc
|
||||
install ksmbd /bin/disabled-by-security-misc
|
||||
install gfs2 /bin/disabled-by-security-misc
|
||||
|
||||
# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
|
||||
# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
||||
# https://www.openwall.com/lists/oss-security/2019/11/02/1
|
||||
# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
install vivid /bin/disabled-by-security-misc
|
||||
|
||||
# Blacklist CD-ROM devices
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
install cdrom /bin/disabled-by-security-misc
|
||||
install sr_mod /bin/disabled-by-security-misc
|
||||
|
||||
# Blacklist Intel Management Engine (ME) interface with the OS
|
||||
# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
|
||||
install mei /bin/disabled-by-security-misc
|
||||
install mei-me /bin/disabled-by-security-misc
|
||||
|
10
usr/bin/disabled-by-security-misc
Executable file
10
usr/bin/disabled-by-security-misc
Executable file
@ -0,0 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
Loading…
Reference in New Issue
Block a user