## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 # Blacklists bluetooth to reduce attack surface. # Bluetooth also has a history of security vulnerabilities: # # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/false install btusb /bin/false # Blacklist thunderbolt and firewire to prevent some DMA attacks. install firewire-core /bin/false install thunderbolt /bin/false # Blacklist CPU MSRs as they can be abused to write to # arbitrary memory. install msr /bin/false # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. # # > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. # # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. # install dccp /bin/false install sctp /bin/false install rds /bin/false install tipc /bin/false install n-hdlc /bin/false install ax25 /bin/false install netrom /bin/false install x25 /bin/false install rose /bin/false install decnet /bin/false install econet /bin/false install af_802154 /bin/false install ipx /bin/false install appletalk /bin/false install psnap /bin/false install p8023 /bin/false install p8022 /bin/false install can /bin/false install atm /bin/false # Disable uncommon filesystems to reduce attack surface install cramfs /bin/false install udf /bin/false ## Blacklists the vivid kernel module as it's only required for ## testing and has been the cause of multiple vulnerabilities. ## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/false