security-misc/etc/modprobe.d/30_security-misc.conf
Patrick Schleizer 2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00

61 lines
2.2 KiB
Plaintext

## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://phabricator.whonix.org/T486
options nf_conntrack nf_conntrack_helper=0
# Blacklists bluetooth to reduce attack surface.
# Bluetooth also has a history of security vulnerabilities:
#
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
install bluetooth /bin/false
install btusb /bin/false
# Blacklist thunderbolt and firewire to prevent some DMA attacks.
install firewire-core /bin/false
install thunderbolt /bin/false
# Blacklist CPU MSRs as they can be abused to write to
# arbitrary memory.
install msr /bin/false
# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
#
# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
#
# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
#
# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
#
install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false
# Disable uncommon filesystems to reduce attack surface
install cramfs /bin/false
install udf /bin/false
## Blacklists the vivid kernel module as it's only required for
## testing and has been the cause of multiple vulnerabilities.
##
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
install vivid /bin/false