Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-26 07:26:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Updated README.md

Browse Source
This commit is contained in:
Raja Grewal 2022-07-12 17:18:47 +10:00
parent 48089e5ba4
commit fe0cc10890
No known key found for this signature in database
GPG Key ID: E34A5801947020A5
1 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.md
View File

@ -88,15 +88,24 @@ disabled.
* IOMMU is enabled to prevent DMA attacks.
### Blacklisted kernel modules
### Disables and blacklists kernel modules
Certain kernel modules are blacklisted to reduce attack surface via the
Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the
`/etc/modprobe.d/30_security-misc.conf` configuration file.
* Deactivates Netfilter's connection tracking helper - this module
increases kernel attack surface by enabling superfluous functionality
such as IRC parsing in the kernel. Hence, this feature is disabled.
* Bluetooth is disabled to reduce attack surface. Bluetooth has
a lengthy history of security concerns.
* Thunderbolt and numerous FireWire kernel modules are also disabled as they are
often vulnerable to DMA attacks.
* The MSR kernel module is disabled to prevent CPU MSRs from being
abused to write to arbitrary memory.
* Uncommon network protocols are blacklisted. This includes:
DCCP - Datagram Congestion Control Protocol
@ -137,23 +146,16 @@ such as IRC parsing in the kernel. Hence, this feature is disabled.
ATM
* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has
a history of security concerns.
* The Thunderbolt and FireWire kernel modules are blacklisted as they are
often vulnerable to DMA attacks.
* The vivid kernel module is only required for testing and has been the cause
of multiple vulnerabilities so it is blacklisted.
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
abused to write to arbitrary memory.
* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
* The vivid kernel module is only required for testing and has been the cause
of multiple vulnerabilities so it is disabled.
* Not enabled by default yet, comment only: Disables the use of CD-ROM devices by default.
* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load.
* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet.
### Other