mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-29 06:56:12 -05:00
Merge remote-tracking branch 'raja/modules'
This commit is contained in:
commit
f34b9d7c45
73
README.md
73
README.md
@ -122,63 +122,46 @@ preventing new modules from being loaded. Since this isn't configured directly
|
||||
within systemctl, it does not break the loading of legitimate and necessary
|
||||
modules for the user, like drivers etc., given they are plugged in on startup.
|
||||
|
||||
#### Disables and blacklists kernel modules
|
||||
#### Blacklist and disable kernel modules
|
||||
|
||||
Certain kernel modules are disabled and blacklisted by default to reduce attack
|
||||
surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file.
|
||||
Certain kernel modules are blacklisted by default to reduce attack surface via
|
||||
`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
|
||||
modules from automatically starting.
|
||||
|
||||
- Deactivates Netfilter's connection tracking helper - this module increases
|
||||
kernel attack surface by enabling superfluous functionality such as IRC
|
||||
parsing in the kernel. Hence, this feature is disabled.
|
||||
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
||||
|
||||
- Thunderbolt and numerous FireWire kernel modules are also disabled as they
|
||||
are often vulnerable to DMA attacks.
|
||||
- Conntrack: Deactivates Netfilter's connection tracking helper - this module
|
||||
increases kernel attack surface by enabling superfluous functionality such
|
||||
as IRC parsing in the kernel. Hence, this feature is disabled.
|
||||
|
||||
- The MSR kernel module is disabled to prevent CPU MSRs from being abused to
|
||||
write to arbitrary memory.
|
||||
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
- Uncommon network protocols are blacklisted. This includes:
|
||||
- Miscellaneous: Blacklist an assortment other modules to prevent them from
|
||||
automatically loading.
|
||||
|
||||
- DCCP - Datagram Congestion Control Protocol
|
||||
- SCTP - Stream Control Transmission Protocol
|
||||
- RDS - Reliable Datagram Sockets
|
||||
- TIPC - Transparent Inter-process Communication
|
||||
- HDLC - High-Level Data Link Control
|
||||
- AX25 - Amateur X.25
|
||||
- NetRom
|
||||
- X25
|
||||
- ROSE
|
||||
- DECnet
|
||||
- Econet
|
||||
- af_802154 - IEEE 802.15.4
|
||||
- IPX - Internetwork Packet Exchange
|
||||
- AppleTalk
|
||||
- PSNAP - Subnetwork Access Protocol
|
||||
- p8023 - Novell raw IEEE 802.3
|
||||
- p8022 - IEEE 802.2
|
||||
- CAN - Controller Area Network
|
||||
- ATM
|
||||
Specific kernel modules are entirely disabled to reduce attack surface via
|
||||
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
|
||||
modules from starting. This approach should not be considered comprehensive,
|
||||
rather it is a form of badness enumeration.
|
||||
|
||||
- Disables a large array of uncommon file systems and network file systems
|
||||
that reduces the attack surface especially against legacy approaches.
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- The vivid kernel module is only required for testing and has been the cause
|
||||
of multiple vulnerabilities so it is disabled.
|
||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
- Provides some disabling of the interface between the [Intel Management
|
||||
Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html)
|
||||
and the OS.
|
||||
- GPS: Disables GPS-related modules responsible systems such as for Global
|
||||
Navigation Satellite System (GNSS).
|
||||
|
||||
- Disables several kernel modules responsible for GPS such as GNSS (Global
|
||||
Navigation Satellite System).
|
||||
- Intel Management Engine (ME): Provides some disabling of the interface between the
|
||||
Intel ME and the OS.
|
||||
|
||||
- Incorporates much of
|
||||
[Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco)
|
||||
default blacklist of modules to be blocked from automatically loading.
|
||||
However, they are still permitted to load.
|
||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||
|
||||
- Blocks automatic loading of the modules needed to use of CD-ROM devices by
|
||||
default. Not completely disabled yet.
|
||||
- Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
|
||||
|
||||
- Miscellaneous: Disable an assortment other modules such as vivid.
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
### Other
|
||||
|
||||
|
2
debian/security-misc.maintscript
vendored
2
debian/security-misc.maintscript
vendored
@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
|
||||
rm_conffile /etc/sysctl.d/tcp_hardening.conf
|
||||
rm_conffile /etc/sysctl.d/tcp_sack.conf
|
||||
|
||||
## merged into 1 file /etc/modprobe.d/30_security-misc.conf
|
||||
## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
|
||||
rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
|
||||
rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
|
||||
rm_conffile /etc/modprobe.d/vivid.conf
|
||||
|
80
etc/modprobe.d/30_security-misc_blacklist.conf
Normal file
80
etc/modprobe.d/30_security-misc_blacklist.conf
Normal file
@ -0,0 +1,80 @@
|
||||
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## See the following links for a community discussion and overview regarding the selections.
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
|
||||
|
||||
## Blacklisting prevents kernel modules from automatically starting.
|
||||
## Disabling prohibits kernel modules from starting.
|
||||
|
||||
## CD-ROM/DVD:
|
||||
## Blacklist CD-ROM and DVD modules.
|
||||
## Do not disable by default for potential future ISO plans.
|
||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||
#
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
#
|
||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
|
||||
## Conntrack:
|
||||
## Disable automatic conntrack helper assignment.
|
||||
## https://phabricator.whonix.org/T486
|
||||
#
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
|
||||
## Framebuffer Drivers:
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
#
|
||||
blacklist aty128fb
|
||||
blacklist atyfb
|
||||
blacklist cirrusfb
|
||||
blacklist cyber2000fb
|
||||
blacklist cyblafb
|
||||
blacklist gx1fb
|
||||
blacklist hgafb
|
||||
blacklist i810fb
|
||||
blacklist intelfb
|
||||
blacklist kyrofb
|
||||
blacklist lxfb
|
||||
blacklist matroxfb_bases
|
||||
blacklist neofb
|
||||
blacklist nvidiafb
|
||||
blacklist pm2fb
|
||||
blacklist radeonfb
|
||||
blacklist rivafb
|
||||
blacklist s1d13xxxfb
|
||||
blacklist savagefb
|
||||
blacklist sisfb
|
||||
blacklist sstfb
|
||||
blacklist tdfxfb
|
||||
blacklist tridentfb
|
||||
blacklist vesafb
|
||||
blacklist vfb
|
||||
blacklist viafb
|
||||
blacklist vt8623fb
|
||||
blacklist udlfb
|
||||
|
||||
## Miscellaneous:
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
#
|
||||
blacklist ath_pci
|
||||
blacklist amd76x_edac
|
||||
blacklist asus_acpi
|
||||
blacklist bcm43xx
|
||||
blacklist eepro100
|
||||
blacklist eth1394
|
||||
blacklist evbug
|
||||
blacklist de4x5
|
||||
blacklist garmin_gps
|
||||
blacklist pcspkr
|
||||
blacklist prism54
|
||||
blacklist snd_aw2
|
||||
blacklist snd_intel8x0m
|
||||
blacklist snd_pcsp
|
||||
blacklist usbkbd
|
||||
blacklist usbmouse
|
@ -1,159 +1,119 @@
|
||||
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## See the following links for a community discussion and overview regarding the selections
|
||||
## See the following links for a community discussion and overview regarding the selections.
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
|
||||
|
||||
## Disable automatic conntrack helper assignment
|
||||
## https://phabricator.whonix.org/T486
|
||||
options nf_conntrack nf_conntrack_helper=0
|
||||
## Blacklisting prevents kernel modules from automatically starting.
|
||||
## Disabling prohibits kernel modules from starting.
|
||||
|
||||
## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
|
||||
## Bluetooth:
|
||||
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
||||
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||
#
|
||||
## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
|
||||
## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
|
||||
#
|
||||
# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
|
||||
# install btusb /usr/bin/disabled-bluetooth-by-security-misc
|
||||
|
||||
## Disable thunderbolt and firewire modules to prevent some DMA attacks
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install firewire-core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-net /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install ohci1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install dv1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install raw1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install video1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
|
||||
#install btusb /usr/bin/disabled-bluetooth-by-security-misc
|
||||
|
||||
## CPU Model-Specific Registers (MSRs):
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
## https://github.com/Kicksecure/security-misc/issues/215
|
||||
#
|
||||
#install msr /usr/bin/disabled-msr-by-security-misc
|
||||
|
||||
## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
|
||||
## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
|
||||
## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
|
||||
## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
|
||||
install dccp /usr/bin/disabled-network-by-security-misc
|
||||
install sctp /usr/bin/disabled-network-by-security-misc
|
||||
install rds /usr/bin/disabled-network-by-security-misc
|
||||
install tipc /usr/bin/disabled-network-by-security-misc
|
||||
install n-hdlc /usr/bin/disabled-network-by-security-misc
|
||||
install ax25 /usr/bin/disabled-network-by-security-misc
|
||||
install netrom /usr/bin/disabled-network-by-security-misc
|
||||
install x25 /usr/bin/disabled-network-by-security-misc
|
||||
install rose /usr/bin/disabled-network-by-security-misc
|
||||
install decnet /usr/bin/disabled-network-by-security-misc
|
||||
install econet /usr/bin/disabled-network-by-security-misc
|
||||
install af_802154 /usr/bin/disabled-network-by-security-misc
|
||||
install ipx /usr/bin/disabled-network-by-security-misc
|
||||
install appletalk /usr/bin/disabled-network-by-security-misc
|
||||
install psnap /usr/bin/disabled-network-by-security-misc
|
||||
install p8023 /usr/bin/disabled-network-by-security-misc
|
||||
install p8022 /usr/bin/disabled-network-by-security-misc
|
||||
install can /usr/bin/disabled-network-by-security-misc
|
||||
install atm /usr/bin/disabled-network-by-security-misc
|
||||
|
||||
## Disable uncommon file systems to reduce attack surface
|
||||
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
|
||||
#
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## Disable uncommon network file systems to reduce attack surface
|
||||
install cifs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
## FireWire (IEEE 1394):
|
||||
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
|
||||
## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
|
||||
#
|
||||
install dv1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-net /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install ohci1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install raw1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install video1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
|
||||
## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
|
||||
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
||||
## https://www.openwall.com/lists/oss-security/2019/11/02/1
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
install vivid /usr/bin/disabled-vivid-by-security-misc
|
||||
|
||||
## Disable Intel Management Engine (ME) interface with the OS
|
||||
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
|
||||
install mei /usr/bin/disabled-intelme-by-security-misc
|
||||
install mei-me /usr/bin/disabled-intelme-by-security-misc
|
||||
|
||||
# Disable GPS modules like GNSS (Global Navigation Satellite System)
|
||||
## Global Positioning Systems (GPS):
|
||||
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
|
||||
#
|
||||
install gnss /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-mtk /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-serial /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-sirf /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-usb /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-ubx /usr/bin/disabled-gps-by-security-misc
|
||||
install gnss-usb /usr/bin/disabled-gps-by-security-misc
|
||||
|
||||
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
blacklist ath_pci
|
||||
## Intel Management Engine (ME):
|
||||
## Partially disable the Intel ME interface with the OS.
|
||||
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
|
||||
#
|
||||
install mei /usr/bin/disabled-intelme-by-security-misc
|
||||
install mei-me /usr/bin/disabled-intelme-by-security-misc
|
||||
|
||||
## Blacklist automatic loading of miscellaneous modules
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
|
||||
blacklist evbug
|
||||
blacklist usbmouse
|
||||
blacklist usbkbd
|
||||
blacklist eepro100
|
||||
blacklist de4x5
|
||||
blacklist eth1394
|
||||
blacklist snd_intel8x0m
|
||||
blacklist snd_aw2
|
||||
blacklist prism54
|
||||
blacklist bcm43xx
|
||||
blacklist garmin_gps
|
||||
blacklist asus_acpi
|
||||
blacklist snd_pcsp
|
||||
blacklist pcspkr
|
||||
blacklist amd76x_edac
|
||||
## Network File Systems:
|
||||
## Disable uncommon network file systems to reduce attack surface.
|
||||
#
|
||||
install cifs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
|
||||
## Blacklist automatic loading of framebuffer drivers
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
blacklist aty128fb
|
||||
blacklist atyfb
|
||||
blacklist radeonfb
|
||||
blacklist cirrusfb
|
||||
blacklist cyber2000fb
|
||||
blacklist cyblafb
|
||||
blacklist gx1fb
|
||||
blacklist hgafb
|
||||
blacklist i810fb
|
||||
blacklist intelfb
|
||||
blacklist kyrofb
|
||||
blacklist lxfb
|
||||
blacklist matroxfb_bases
|
||||
blacklist neofb
|
||||
blacklist nvidiafb
|
||||
blacklist pm2fb
|
||||
blacklist rivafb
|
||||
blacklist s1d13xxxfb
|
||||
blacklist savagefb
|
||||
blacklist sisfb
|
||||
blacklist sstfb
|
||||
blacklist tdfxfb
|
||||
blacklist tridentfb
|
||||
blacklist vesafb
|
||||
blacklist vfb
|
||||
blacklist viafb
|
||||
blacklist vt8623fb
|
||||
blacklist udlfb
|
||||
## Network Protocols:
|
||||
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
|
||||
## https://tails.boum.org/blueprint/blacklist_modules/
|
||||
## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
|
||||
#
|
||||
install af_802154 /usr/bin/disabled-network-by-security-misc
|
||||
install appletalk /usr/bin/disabled-network-by-security-misc
|
||||
install atm /usr/bin/disabled-network-by-security-misc
|
||||
install ax25 /usr/bin/disabled-network-by-security-misc
|
||||
install can /usr/bin/disabled-network-by-security-misc
|
||||
install decnet /usr/bin/disabled-network-by-security-misc
|
||||
install dccp /usr/bin/disabled-network-by-security-misc
|
||||
install econet /usr/bin/disabled-network-by-security-misc
|
||||
install ipx /usr/bin/disabled-network-by-security-misc
|
||||
install n-hdlc /usr/bin/disabled-network-by-security-misc
|
||||
install netrom /usr/bin/disabled-network-by-security-misc
|
||||
install p8022 /usr/bin/disabled-network-by-security-misc
|
||||
install p8023 /usr/bin/disabled-network-by-security-misc
|
||||
install psnap /usr/bin/disabled-network-by-security-misc
|
||||
install rds /usr/bin/disabled-network-by-security-misc
|
||||
install rose /usr/bin/disabled-network-by-security-misc
|
||||
install sctp /usr/bin/disabled-network-by-security-misc
|
||||
install tipc /usr/bin/disabled-network-by-security-misc
|
||||
install x25 /usr/bin/disabled-network-by-security-misc
|
||||
|
||||
## Disable CD-ROM devices
|
||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
## Miscellaneous:
|
||||
#
|
||||
## Vivid:
|
||||
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
|
||||
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
||||
## https://www.openwall.com/lists/oss-security/2019/11/02/1
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
#
|
||||
install vivid /usr/bin/disabled-vivid-by-security-misc
|
||||
|
||||
## Thunderbolt:
|
||||
## Disables Thunderbolt modules to prevent some DMA attacks.
|
||||
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
|
||||
#
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
@ -5,6 +5,6 @@
|
||||
|
||||
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
|
||||
|
||||
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
|
||||
echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
|
||||
|
||||
exit 1
|
||||
|
Loading…
Reference in New Issue
Block a user