From 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:27:56 +1000 Subject: [PATCH 1/7] Remove redundant disabled modules --- etc/modprobe.d/30_security-misc.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 0e4b0f2..90b2a46 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -20,11 +20,8 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire_core /usr/bin/disabled-firewire-by-security-misc install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire_ohci /usr/bin/disabled-firewire-by-security-misc -install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc From fe20f3240e2f31099bcaa9f9e2045320df810edf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:28:48 +1000 Subject: [PATCH 2/7] Refactor existing modprobe for clarity --- etc/modprobe.d/30_security-misc.conf | 268 +++++++++++++++------------ 1 file changed, 151 insertions(+), 117 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 90b2a46..af5fd10 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,123 +1,34 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## See the following links for a community discussion and overview regarding the selections +## See the following links for a community discussion and overview regarding the selections. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules -## Disable automatic conntrack helper assignment +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Connection Tracking: +## Disable automatic conntrack helper assignment. ## https://phabricator.whonix.org/T486 +# options nf_conntrack nf_conntrack_helper=0 -## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -# -## Now replaced by a privacy and security preserving default bluetooth configuration for better usability -# -# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc -# install btusb /usr/bin/disabled-bluetooth-by-security-misc - -## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc -install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc -install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install dv1394 /usr/bin/disabled-firewire-by-security-misc -install raw1394 /usr/bin/disabled-firewire-by-security-misc -install video1394 /usr/bin/disabled-firewire-by-security-misc - -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -#install msr /usr/bin/disabled-msr-by-security-misc - -## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc -install af_802154 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc -install appletalk /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc -install atm /usr/bin/disabled-network-by-security-misc - -## Disable uncommon file systems to reduce attack surface -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Disable uncommon network file systems to reduce attack surface -install cifs /usr/bin/disabled-netfilesys-by-security-misc -install nfs /usr/bin/disabled-netfilesys-by-security-misc -install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc - -## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /usr/bin/disabled-vivid-by-security-misc - -## Disable Intel Management Engine (ME) interface with the OS -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc - -# Disable GPS modules like GNSS (Global Navigation Satellite System) -install gnss /usr/bin/disabled-gps-by-security-misc -install gnss-mtk /usr/bin/disabled-gps-by-security-misc -install gnss-serial /usr/bin/disabled-gps-by-security-misc -install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc -install gnss-ubx /usr/bin/disabled-gps-by-security-misc - -## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -blacklist ath_pci - -## Blacklist automatic loading of miscellaneous modules -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr -blacklist amd76x_edac - -## Blacklist automatic loading of framebuffer drivers +## Framebuffer Drivers: ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# blacklist aty128fb blacklist atyfb blacklist radeonfb @@ -147,10 +58,133 @@ blacklist viafb blacklist vt8623fb blacklist udlfb -## Disable CD-ROM devices -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc -blacklist cdrom -blacklist sr_mod +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +## Bluetooth: +## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +# +## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +# +#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install btusb /usr/bin/disabled-bluetooth-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +# +#install msr /usr/bin/disabled-msr-by-security-misc + +## FireWire (IEEE 1394): +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues +# +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +# +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + +## Global Positioning Systems: +## Disable GPS-related modules like GNSS (Global Navigation Satellite System). +# +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc + +## Intel Management Engine (ME): +## Partially disable the Intel ME interface with the OS. +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +# +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc + +## Network File Systems: +## Disable uncommon network file systems to reduce attack surface. +# +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc + +## Network Protocols: +## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## https://tails.boum.org/blueprint/blacklist_modules/ +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +# +install dccp /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install af_802154 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install atm /usr/bin/disabled-network-by-security-misc + +## Miscellaneous: +# +## Vivid: +## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +# +install vivid /usr/bin/disabled-vivid-by-security-misc + +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +# +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc From fc792ff23234399ed299c3fdc086d47c87d9b4a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:29:36 +1000 Subject: [PATCH 3/7] Alphabetically sort existing modprobe --- etc/modprobe.d/30_security-misc.conf | 76 ++++++++++++++-------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index af5fd10..a4e8baa 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -31,7 +31,6 @@ options nf_conntrack nf_conntrack_helper=0 # blacklist aty128fb blacklist atyfb -blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb @@ -45,6 +44,7 @@ blacklist matroxfb_bases blacklist neofb blacklist nvidiafb blacklist pm2fb +blacklist radeonfb blacklist rivafb blacklist s1d13xxxfb blacklist savagefb @@ -63,21 +63,21 @@ blacklist udlfb ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco # blacklist ath_pci -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. @@ -99,14 +99,14 @@ blacklist amd76x_edac ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues # +install dv1394 /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install dv1394 /usr/bin/disabled-firewire-by-security-misc install raw1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc ## File Systems: @@ -115,9 +115,9 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc # install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## Global Positioning Systems: @@ -127,8 +127,8 @@ install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc install gnss-ubx /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. @@ -141,11 +141,11 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc ## Disable uncommon network file systems to reduce attack surface. # install cifs /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. @@ -153,25 +153,25 @@ install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco # -install dccp /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc ## Miscellaneous: # From b02230a783941da412be72fb52053db0c6b8010f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:42:37 +1000 Subject: [PATCH 4/7] Split modprobe into blacklisted and disabled configurations --- README.md | 7 +- debian/security-misc.maintscript | 2 +- .../30_security-misc_blacklist.conf | 80 +++++++++++++++++++ ...isc.conf => 30_security-misc_disable.conf} | 71 ---------------- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/disabled-vivid-by-security-misc | 3 +- 14 files changed, 96 insertions(+), 85 deletions(-) create mode 100644 etc/modprobe.d/30_security-misc_blacklist.conf rename etc/modprobe.d/{30_security-misc.conf => 30_security-misc_disable.conf} (77%) diff --git a/README.md b/README.md index 5c9df4a..7601260 100644 --- a/README.md +++ b/README.md @@ -122,10 +122,11 @@ preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. -#### Disables and blacklists kernel modules +#### Blacklist and disable kernel modules -Certain kernel modules are disabled and blacklisted by default to reduce attack -surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. +Certain kernel modules are blacklisted and disabled by default to reduce attack +surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and +`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. - Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f64e762..4279cf2 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 1 file /etc/modprobe.d/30_security-misc.conf +## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf new file mode 100644 index 0000000..f516fe2 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -0,0 +1,80 @@ +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections. +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Conntrack: +## Disable automatic conntrack helper assignment. +## https://phabricator.whonix.org/T486 +# +options nf_conntrack nf_conntrack_helper=0 + +## Framebuffer Drivers: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# +blacklist aty128fb +blacklist atyfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_bases +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist radeonfb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc_disable.conf similarity index 77% rename from etc/modprobe.d/30_security-misc.conf rename to etc/modprobe.d/30_security-misc_disable.conf index a4e8baa..0a676d1 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,77 +8,6 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Do not disable by default for potential future ISO plans. -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -# -blacklist cdrom -blacklist sr_mod -# -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Connection Tracking: -## Disable automatic conntrack helper assignment. -## https://phabricator.whonix.org/T486 -# -options nf_conntrack nf_conntrack_helper=0 - -## Framebuffer Drivers: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -# -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - -## Miscellaneous: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -# -blacklist ath_pci -blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 -blacklist evbug -blacklist de4x5 -blacklist garmin_gps -blacklist pcspkr -blacklist prism54 -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse - ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 8091b45..7e011e3 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 13e4592..55f4b0c 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index b5b2426..6c7dd5a 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index dbcc7ce..cbde5d1 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 90b7076..f1a24bf 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 47bdcb1..0913fcf 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index e62f0c0..bbb57a8 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index f00086e..8035522 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index d153ceb..98f0840 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index aa7c639..4a9855e 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,6 +5,7 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable +.conf | args: $@" >&2 exit 1 From f31dc8aebc652b2037c375351fc478d9b5ba4c27 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:21:03 +1000 Subject: [PATCH 5/7] Fix error in error script --- usr/bin/disabled-vivid-by-security-misc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index 4a9855e..f2d07b7 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,7 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable -.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 From 41a3bf92fbdac88a1884dee735600cafa35134bf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:21:41 +1000 Subject: [PATCH 6/7] Sort `30_security-misc_disable.conf` --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 0a676d1..c9f5499 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -24,6 +24,17 @@ # #install msr /usr/bin/disabled-msr-by-security-misc +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +# +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues @@ -38,18 +49,7 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. -# -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Global Positioning Systems: +## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). # install gnss /usr/bin/disabled-gps-by-security-misc From 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:22:10 +1000 Subject: [PATCH 7/7] Update README.md relating to modprobe --- README.md | 72 +++++++++++++++++++++---------------------------------- 1 file changed, 27 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 7601260..114b90c 100644 --- a/README.md +++ b/README.md @@ -124,62 +124,44 @@ modules for the user, like drivers etc., given they are plugged in on startup. #### Blacklist and disable kernel modules -Certain kernel modules are blacklisted and disabled by default to reduce attack -surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and -`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. +Certain kernel modules are blacklisted by default to reduce attack surface via +`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel +modules from automatically starting. -- Deactivates Netfilter's connection tracking helper - this module increases - kernel attack surface by enabling superfluous functionality such as IRC - parsing in the kernel. Hence, this feature is disabled. +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Thunderbolt and numerous FireWire kernel modules are also disabled as they - are often vulnerable to DMA attacks. +- Conntrack: Deactivates Netfilter's connection tracking helper - this module + increases kernel attack surface by enabling superfluous functionality such + as IRC parsing in the kernel. Hence, this feature is disabled. -- The MSR kernel module is disabled to prevent CPU MSRs from being abused to - write to arbitrary memory. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. -- Uncommon network protocols are blacklisted. This includes: +- Miscellaneous: Blacklist an assortment other modules to prevent them from + automatically loading. - - DCCP - Datagram Congestion Control Protocol - - SCTP - Stream Control Transmission Protocol - - RDS - Reliable Datagram Sockets - - TIPC - Transparent Inter-process Communication - - HDLC - High-Level Data Link Control - - AX25 - Amateur X.25 - - NetRom - - X25 - - ROSE - - DECnet - - Econet - - af_802154 - IEEE 802.15.4 - - IPX - Internetwork Packet Exchange - - AppleTalk - - PSNAP - Subnetwork Access Protocol - - p8023 - Novell raw IEEE 802.3 - - p8022 - IEEE 802.2 - - CAN - Controller Area Network - - ATM +Specific kernel modules are entirely disabled to reduce attack surface via +`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel +modules from starting. This approach should not be considered comprehensive, +rather it is a form of badness enumeration. -- Disables a large array of uncommon file systems and network file systems - that reduces the attack surface especially against legacy approaches. +- File Systems: Disable uncommon and legacy file systems. -- The vivid kernel module is only required for testing and has been the cause - of multiple vulnerabilities so it is disabled. +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Provides some disabling of the interface between the [Intel Management - Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) - and the OS. +- GPS: Disables GPS-related modules responsible systems such as for Global + Navigation Satellite System (GNSS). -- Disables several kernel modules responsible for GPS such as GNSS (Global - Navigation Satellite System). +- Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. -- Incorporates much of - [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) - default blacklist of modules to be blocked from automatically loading. - However, they are still permitted to load. +- Network File Systems: Disable uncommon and legacy network file systems. -- Blocks automatic loading of the modules needed to use of CD-ROM devices by - default. Not completely disabled yet. +- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. + +- Miscellaneous: Disable an assortment other modules such as vivid. + +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. ### Other