## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules ## Disable automatic conntrack helper assignment ## https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns # ## Now replaced by a privacy and security preserving default bluetooth configuration for better usability # # install bluetooth /usr/bin/disabled-bluetooth-by-security-misc # install btusb /usr/bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire_core /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc install firewire_ohci /usr/bin/disabled-firewire-by-security-misc install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install dv1394 /usr/bin/disabled-firewire-by-security-misc install raw1394 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 #install msr /usr/bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. install dccp /usr/bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc install rds /usr/bin/disabled-network-by-security-misc install tipc /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc install can /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## Disable uncommon network file systems to reduce attack surface install cifs /usr/bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /usr/bin/disabled-vivid-by-security-misc ## Disable Intel Management Engine (ME) interface with the OS ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc # Disable GPS modules like GNSS (Global Navigation Satellite System) install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc install gnss-sirf /usr/bin/disabled-gps-by-security-misc install gnss-usb /usr/bin/disabled-gps-by-security-misc install gnss-ubx /usr/bin/disabled-gps-by-security-misc ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco blacklist ath_pci ## Blacklist automatic loading of miscellaneous modules ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco blacklist evbug blacklist usbmouse blacklist usbkbd blacklist eepro100 blacklist de4x5 blacklist eth1394 blacklist snd_intel8x0m blacklist snd_aw2 blacklist prism54 blacklist bcm43xx blacklist garmin_gps blacklist asus_acpi blacklist snd_pcsp blacklist pcspkr blacklist amd76x_edac ## Blacklist automatic loading of framebuffer drivers ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco blacklist aty128fb blacklist atyfb blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb blacklist gx1fb blacklist hgafb blacklist i810fb blacklist intelfb blacklist kyrofb blacklist lxfb blacklist matroxfb_bases blacklist neofb blacklist nvidiafb blacklist pm2fb blacklist rivafb blacklist s1d13xxxfb blacklist savagefb blacklist sisfb blacklist sstfb blacklist tdfxfb blacklist tridentfb blacklist vesafb blacklist vfb blacklist viafb blacklist vt8623fb blacklist udlfb ## Disable CD-ROM devices ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc blacklist cdrom blacklist sr_mod