## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules ## Disable automatic conntrack helper assignment ## https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/disabled-bluetooth-by-security-misc install btusb /bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/disabled-thunderbolt-by-security-misc install firewire-core /bin/disabled-firewire-by-security-misc install firewire_core /bin/disabled-firewire-by-security-misc install firewire-ohci /bin/disabled-firewire-by-security-misc install firewire_ohci /bin/disabled-firewire-by-security-misc install firewire_sbp2 /bin/disabled-firewire-by-security-misc install firewire-sbp2 /bin/disabled-firewire-by-security-misc install ohci1394 /bin/disabled-firewire-by-security-misc install sbp2 /bin/disabled-firewire-by-security-misc install dv1394 /bin/disabled-firewire-by-security-misc install raw1394 /bin/disabled-firewire-by-security-misc install video1394 /bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode install msr /bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. install dccp /bin/disabled-network-by-security-misc install sctp /bin/disabled-network-by-security-misc install rds /bin/disabled-network-by-security-misc install tipc /bin/disabled-network-by-security-misc install n-hdlc /bin/disabled-network-by-security-misc install ax25 /bin/disabled-network-by-security-misc install netrom /bin/disabled-network-by-security-misc install x25 /bin/disabled-network-by-security-misc install rose /bin/disabled-network-by-security-misc install decnet /bin/disabled-network-by-security-misc install econet /bin/disabled-network-by-security-misc install af_802154 /bin/disabled-network-by-security-misc install ipx /bin/disabled-network-by-security-misc install appletalk /bin/disabled-network-by-security-misc install psnap /bin/disabled-network-by-security-misc install p8023 /bin/disabled-network-by-security-misc install p8022 /bin/disabled-network-by-security-misc install can /bin/disabled-network-by-security-misc install atm /bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface install cramfs /bin/disabled-filesys-by-security-misc install freevxfs /bin/disabled-filesys-by-security-misc install jffs2 /bin/disabled-filesys-by-security-misc install hfs /bin/disabled-filesys-by-security-misc install hfsplus /bin/disabled-filesys-by-security-misc install udf /bin/disabled-filesys-by-security-misc ## Disable uncommon network file systems to reduce attack surface install cifs /bin/disabled-netfilesys-by-security-misc install nfs /bin/disabled-netfilesys-by-security-misc install nfsv3 /bin/disabled-netfilesys-by-security-misc install nfsv4 /bin/disabled-netfilesys-by-security-misc install ksmbd /bin/disabled-netfilesys-by-security-misc install gfs2 /bin/disabled-netfilesys-by-security-misc ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/disabled-vivid-by-security-misc ## Disable Intel Management Engine (ME) interface with the OS ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/disabled-intelme-by-security-misc install mei-me /bin/disabled-intelme-by-security-misc ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco blacklist ath_pci ## Blacklist automatic loading of miscellaneous modules ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco blacklist evbug blacklist usbmouse blacklist usbkbd blacklist eepro100 blacklist de4x5 blacklist eth1394 blacklist snd_intel8x0m blacklist snd_aw2 blacklist prism54 blacklist bcm43xx blacklist garmin_gps blacklist asus_acpi blacklist snd_pcsp blacklist pcspkr blacklist amd76x_edac ## Blacklist automatic loading of framebuffer drivers ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco blacklist aty128fb blacklist atyfb #blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb blacklist gx1fb blacklist hgafb blacklist i810fb #blacklist intelfb blacklist kyrofb blacklist lxfb blacklist matroxfb_bases blacklist neofb #blacklist nvidiafb blacklist pm2fb blacklist rivafb blacklist s1d13xxxfb blacklist savagefb blacklist sisfb blacklist sstfb blacklist tdfxfb blacklist tridentfb #blacklist vesafb blacklist vfb blacklist viafb blacklist vt8623fb blacklist udlfb ## Disable CD-ROM devices ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 #install cdrom /bin/disabled-cdrom-by-security-misc #install sr_mod /bin/disabled-cdrom-by-security-misc blacklist cdrom blacklist sr_mod