diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 2ee7f0f..a2aa848 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -25,3 +25,10 @@ rm_conffile /etc/sysctl.d/coredumps.conf rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf + +rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf +rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf +rm_conffile /etc/modprobe.d/vivid.conf +rm_conffile /etc/modprobe.d/blacklist-dma.conf +rm_conffile /etc/modprobe.d/msr.conf +rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf diff --git a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf deleted file mode 100644 index bd42a28..0000000 --- a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +++ /dev/null @@ -1,2 +0,0 @@ -## https://phabricator.whonix.org/T486 -options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf new file mode 100644 index 0000000..a43a60b --- /dev/null +++ b/etc/modprobe.d/30_security-misc.conf @@ -0,0 +1,54 @@ +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://phabricator.whonix.org/T486 +options nf_conntrack nf_conntrack_helper=0 + +# Blacklists bluetooth to reduce attack surface. +# Bluetooth also has a history of security vulnerabilities: +# +# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/false +install btusb /bin/false + +# Blacklist thunderbolt and firewire to prevent some DMA attacks. +install firewire-core /bin/false +install thunderbolt /bin/false + +# Blacklist CPU MSRs as they can be abused to write to +# arbitrary memory. +install msr /bin/false + +# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# +# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +# +# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +# +# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. +# +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false + +## Blacklists the vivid kernel module as it's only required for +## testing and has been the cause of multiple vulnerabilities. +## +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +install vivid /bin/false diff --git a/etc/modprobe.d/blacklist-bluetooth.conf b/etc/modprobe.d/blacklist-bluetooth.conf deleted file mode 100644 index 2bfc7fb..0000000 --- a/etc/modprobe.d/blacklist-bluetooth.conf +++ /dev/null @@ -1,6 +0,0 @@ -# Blacklists bluetooth to reduce attack surface. -# Bluetooth also has a history of security vulnerabilities: -# -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf deleted file mode 100644 index e06eaa1..0000000 --- a/etc/modprobe.d/blacklist-dma.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Blacklist thunderbolt and firewire to prevent some DMA attacks. -install firewire-core /bin/false -install thunderbolt /bin/false diff --git a/etc/modprobe.d/msr.conf b/etc/modprobe.d/msr.conf deleted file mode 100644 index c9a39bf..0000000 --- a/etc/modprobe.d/msr.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Blacklist CPU MSRs as they can be abused to write to -# arbitrary memory. -install msr /bin/false diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf deleted file mode 100644 index 500ee10..0000000 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ /dev/null @@ -1,25 +0,0 @@ -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -# -# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -# -# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -# -# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -# -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false diff --git a/etc/modprobe.d/vivid.conf b/etc/modprobe.d/vivid.conf deleted file mode 100644 index f8d8059..0000000 --- a/etc/modprobe.d/vivid.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Blacklists the vivid kernel module as it's only required for -## testing and has been the cause of multiple vulnerabilities. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/false