security-misc/etc/modprobe.d/30_security-misc.conf
2024-05-11 13:18:36 +10:00

160 lines
7.3 KiB
Plaintext

## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## See the following links for a community discussion and overview regarding the selections
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
## Disable automatic conntrack helper assignment
## https://phabricator.whonix.org/T486
options nf_conntrack nf_conntrack_helper=0
## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
#
## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
#
# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
# install btusb /usr/bin/disabled-bluetooth-by-security-misc
## Disable thunderbolt and firewire modules to prevent some DMA attacks
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install firewire-core /usr/bin/disabled-firewire-by-security-misc
install firewire_core /usr/bin/disabled-firewire-by-security-misc
install firewire-net /usr/bin/disabled-firewire-by-security-misc
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
install ohci1394 /usr/bin/disabled-firewire-by-security-misc
install sbp2 /usr/bin/disabled-firewire-by-security-misc
install dv1394 /usr/bin/disabled-firewire-by-security-misc
install raw1394 /usr/bin/disabled-firewire-by-security-misc
install video1394 /usr/bin/disabled-firewire-by-security-misc
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215
#install msr /usr/bin/disabled-msr-by-security-misc
## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
install dccp /usr/bin/disabled-network-by-security-misc
install sctp /usr/bin/disabled-network-by-security-misc
install rds /usr/bin/disabled-network-by-security-misc
install tipc /usr/bin/disabled-network-by-security-misc
install n-hdlc /usr/bin/disabled-network-by-security-misc
install ax25 /usr/bin/disabled-network-by-security-misc
install netrom /usr/bin/disabled-network-by-security-misc
install x25 /usr/bin/disabled-network-by-security-misc
install rose /usr/bin/disabled-network-by-security-misc
install decnet /usr/bin/disabled-network-by-security-misc
install econet /usr/bin/disabled-network-by-security-misc
install af_802154 /usr/bin/disabled-network-by-security-misc
install ipx /usr/bin/disabled-network-by-security-misc
install appletalk /usr/bin/disabled-network-by-security-misc
install psnap /usr/bin/disabled-network-by-security-misc
install p8023 /usr/bin/disabled-network-by-security-misc
install p8022 /usr/bin/disabled-network-by-security-misc
install can /usr/bin/disabled-network-by-security-misc
install atm /usr/bin/disabled-network-by-security-misc
## Disable uncommon file systems to reduce attack surface
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc
## Disable uncommon network file systems to reduce attack surface
install cifs /usr/bin/disabled-netfilesys-by-security-misc
install nfs /usr/bin/disabled-netfilesys-by-security-misc
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
install vivid /usr/bin/disabled-vivid-by-security-misc
## Disable Intel Management Engine (ME) interface with the OS
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
install mei /usr/bin/disabled-intelme-by-security-misc
install mei-me /usr/bin/disabled-intelme-by-security-misc
# Disable GPS modules like GNSS (Global Navigation Satellite System)
install gnss /usr/bin/disabled-gps-by-security-misc
install gnss-mtk /usr/bin/disabled-gps-by-security-misc
install gnss-serial /usr/bin/disabled-gps-by-security-misc
install gnss-sirf /usr/bin/disabled-gps-by-security-misc
install gnss-usb /usr/bin/disabled-gps-by-security-misc
install gnss-ubx /usr/bin/disabled-gps-by-security-misc
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
blacklist ath_pci
## Blacklist automatic loading of miscellaneous modules
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
blacklist evbug
blacklist usbmouse
blacklist usbkbd
blacklist eepro100
blacklist de4x5
blacklist eth1394
blacklist snd_intel8x0m
blacklist snd_aw2
blacklist prism54
blacklist bcm43xx
blacklist garmin_gps
blacklist asus_acpi
blacklist snd_pcsp
blacklist pcspkr
blacklist amd76x_edac
## Blacklist automatic loading of framebuffer drivers
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist cyblafb
blacklist gx1fb
blacklist hgafb
blacklist i810fb
blacklist intelfb
blacklist kyrofb
blacklist lxfb
blacklist matroxfb_bases
blacklist neofb
blacklist nvidiafb
blacklist pm2fb
blacklist rivafb
blacklist s1d13xxxfb
blacklist savagefb
blacklist sisfb
blacklist sstfb
blacklist tdfxfb
blacklist tridentfb
blacklist vesafb
blacklist vfb
blacklist viafb
blacklist vt8623fb
blacklist udlfb
## Disable CD-ROM devices
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
blacklist cdrom
blacklist sr_mod