## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install btusb /usr/bin/disabled-bluetooth-by-security-misc ## CPU Model-Specific Registers (MSRs): ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 ## #install msr /usr/bin/disabled-msr-by-security-misc ## File Systems: ## Disable uncommon file systems to reduce attack surface. ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. ## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues ## install dv1394 /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc install gnss-sirf /usr/bin/disabled-gps-by-security-misc install gnss-ubx /usr/bin/disabled-gps-by-security-misc install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## install cifs /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## ## https://tails.boum.org/blueprint/blacklist_modules/ ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc install can /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc install rds /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc install tipc /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc ## Miscellaneous: ## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## install vivid /usr/bin/disabled-vivid-by-security-misc ## Thunderbolt: ## Disables Thunderbolt modules to prevent some DMA attacks. ## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ## install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc