diff --git a/README.md b/README.md index 76ef0fe..db4fe8e 100644 --- a/README.md +++ b/README.md @@ -89,15 +89,24 @@ TLB invalidation so devices will never be able to access stale data contents. * Distrust the 'randomly' generated CPU and bootloader seeds. -### Blacklisted kernel modules +### Disables and blacklists kernel modules -Certain kernel modules are blacklisted to reduce attack surface via the +Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. * Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. Hence, this feature is disabled. +* Bluetooth is disabled to reduce attack surface. Bluetooth has +a lengthy history of security concerns. + +* Thunderbolt and numerous FireWire kernel modules are also disabled as they are +often vulnerable to DMA attacks. + +* The MSR kernel module is disabled to prevent CPU MSRs from being +abused to write to arbitrary memory. + * Uncommon network protocols are blacklisted. This includes: DCCP - Datagram Congestion Control Protocol @@ -138,17 +147,16 @@ such as IRC parsing in the kernel. Hence, this feature is disabled. ATM -* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has -a history of security concerns. - -* The Thunderbolt and FireWire kernel modules are blacklisted as they are -often vulnerable to DMA attacks. +* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. * The vivid kernel module is only required for testing and has been the cause -of multiple vulnerabilities so it is blacklisted. +of multiple vulnerabilities so it is disabled. -* The MSR kernel module is blacklisted to prevent CPU MSRs from being -abused to write to arbitrary memory. +* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. + +* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. + +* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. ### Other diff --git a/bin/disabled-bluetooth-by-security-misc b/bin/disabled-bluetooth-by-security-misc new file mode 100755 index 0000000..e708783 --- /dev/null +++ b/bin/disabled-bluetooth-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-cdrom-by-security-misc b/bin/disabled-cdrom-by-security-misc new file mode 100755 index 0000000..5057e32 --- /dev/null +++ b/bin/disabled-cdrom-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-filesys-by-security-misc b/bin/disabled-filesys-by-security-misc new file mode 100755 index 0000000..9050a8c --- /dev/null +++ b/bin/disabled-filesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-firewire-by-security-misc b/bin/disabled-firewire-by-security-misc new file mode 100755 index 0000000..5aa44e3 --- /dev/null +++ b/bin/disabled-firewire-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-intelme-by-security-misc b/bin/disabled-intelme-by-security-misc new file mode 100755 index 0000000..9c8c96c --- /dev/null +++ b/bin/disabled-intelme-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-msr-by-security-misc b/bin/disabled-msr-by-security-misc new file mode 100755 index 0000000..3cf3937 --- /dev/null +++ b/bin/disabled-msr-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-netfilesys-by-security-misc b/bin/disabled-netfilesys-by-security-misc new file mode 100755 index 0000000..0dc5672 --- /dev/null +++ b/bin/disabled-netfilesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-network-by-security-misc b/bin/disabled-network-by-security-misc new file mode 100755 index 0000000..7cb3041 --- /dev/null +++ b/bin/disabled-network-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-thunderbolt-by-security-misc b/bin/disabled-thunderbolt-by-security-misc new file mode 100755 index 0000000..bfb52e1 --- /dev/null +++ b/bin/disabled-thunderbolt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-vivid-by-security-misc b/bin/disabled-vivid-by-security-misc new file mode 100755 index 0000000..45c14bd --- /dev/null +++ b/bin/disabled-vivid-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/changelog.upstream b/changelog.upstream index 3776ec7..ba8c92d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,218 @@ +commit 1fafb5f53bbec57812f535e79bfb475628cc58e3 +Merge: 24d6a93 27aa523 +Author: Patrick Schleizer +Date: Fri Jul 15 08:09:16 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 27aa5231e2d1dafd89ba19c8d6becf461e781605 +Merge: 24d6a93 a72bbb1 +Author: Patrick Schleizer +Date: Fri Jul 15 08:06:08 2022 -0400 + + Merge pull request #112 from raja-grewal/blacklist + + Corrected kernel module disabling + +commit a72bbb1883613ee56be29949c153e0edb2d72a29 +Author: Raja Grewal +Date: Wed Jul 13 23:42:13 2022 +1000 + + Corrected kerenl module disabling + +commit 24d6a93eacf5b41cfb9133471049776a16a07b03 +Author: Patrick Schleizer +Date: Wed Jul 13 08:28:34 2022 -0400 + + bumped changelog version + +commit 8f31e5d1d172eb117bde63702f63081da182d5c5 +Merge: 6aa9a94 c410890 +Author: Patrick Schleizer +Date: Wed Jul 13 07:26:58 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c410890a8ade6d4be13dc99a7003f03ebded8153 +Merge: 6aa9a94 fe0cc10 +Author: Patrick Schleizer +Date: Wed Jul 13 07:24:12 2022 -0400 + + Merge pull request #110 from raja-grewal/master + + Incorporated Ubuntu’s kernel module blacklists and more verbose errors + +commit fe0cc1089086273794bd6b54df3528ff78c10f6a +Author: Raja Grewal +Date: Tue Jul 12 17:18:47 2022 +1000 + + Updated README.md + +commit 48089e5ba43b0b72449f888b98b63119ed57e2fd +Author: Raja Grewal +Date: Tue Jul 12 17:02:12 2022 +1000 + + More verbose kernel module blocking error logs + +commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 +Author: Raja Grewal +Date: Tue Jul 12 16:58:16 2022 +1000 + + Updated comments + +commit ef1ef9917d896f1cd837f399def6a75704e9bfd2 +Author: Raja Grewal +Date: Sun Jul 10 04:53:25 2022 +1000 + + Blacklist automatic loading of CD-ROM modules + +commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc +Author: Raja Grewal +Date: Sun Jul 10 04:52:00 2022 +1000 + + Incorporated Ubuntu’s kernel module blacklists + +commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 +Author: Patrick Schleizer +Date: Sat Jul 9 11:42:24 2022 -0400 + + bumped changelog version + +commit 3b844eaab25fecf90292c88291be77abf0be694c +Author: Patrick Schleizer +Date: Sat Jul 9 11:42:11 2022 -0400 + + output + +commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2 +Author: Patrick Schleizer +Date: Sat Jul 9 11:40:15 2022 -0400 + + output + +commit adfdac6dea0e8f971c59557b383d116cd51619fd +Author: Patrick Schleizer +Date: Sat Jul 9 11:40:01 2022 -0400 + + output + +commit 1df2cfd1add8b2277cb37499ced4fbb713c17668 +Author: Patrick Schleizer +Date: Sat Jul 9 11:38:37 2022 -0400 + + comment + +commit fede41e6e03c33f2f6569f03593f76edb9969e6a +Author: Patrick Schleizer +Date: Sat Jul 9 11:38:04 2022 -0400 + + fix + +commit 52c46e4706d5799d452f260616a3909c9a3bc78f +Merge: 1b8500c dc41a58 +Author: Patrick Schleizer +Date: Sat Jul 9 11:37:41 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dc41a58102a114e21209aabeef9ad6b851365898 +Merge: 1b8500c e5f8004 +Author: Patrick Schleizer +Date: Sat Jul 9 11:37:57 2022 -0400 + + Merge pull request #108 from Krish-sysadmin/master + + Continue for loop if unable to change one directory's permission + +commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 +Author: Patrick Schleizer +Date: Thu Jul 7 17:41:13 2022 -0400 + + bumped changelog version + +commit 277749f27b2da8d33b70fb6f88c6757fab77e636 +Author: Patrick Schleizer +Date: Thu Jul 7 15:49:08 2022 -0400 + + genmkfile debinstfile + +commit eb8535fe870e79a5c818a38c414147819d32346d +Author: Patrick Schleizer +Date: Thu Jul 7 15:48:39 2022 -0400 + + renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc + +commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 +Author: Patrick Schleizer +Date: Thu Jul 7 15:39:40 2022 -0400 + + not blacklist CD-ROM / DVD yet + + https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 + +commit d5c16503411bee4199c35a51226fc59924d6e142 +Author: Patrick Schleizer +Date: Thu Jul 7 15:28:09 2022 -0400 + + shuffle + +commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 +Author: Patrick Schleizer +Date: Thu Jul 7 15:27:15 2022 -0400 + + shuffle + +commit d018bdaf73e109a61c0687a171af843c890729e0 +Merge: 1b287a6 780dc8e +Author: Patrick Schleizer +Date: Thu Jul 7 15:26:08 2022 -0400 + + Merge remote-tracking branch 'raja-gerwal/master' + +commit 780dc8eec99915a7466249e219ad59c5db5f0364 +Author: Raja Grewal +Date: Fri Jul 8 04:11:25 2022 +1000 + + replace /bin/false -> /bin/disabled-by-security-misc + +commit fa2e30f5125e438250acfdc52107a936ecb7b1b4 +Author: Raja Grewal +Date: Fri Jul 8 03:04:37 2022 +1000 + + Updated descriptions of disabled modules + +commit da389d6682f6eb1d0c0172c50a4b529152384415 +Author: Raja Grewal +Date: Fri Jul 8 02:12:04 2022 +1000 + + Revert "replace /bin/false -> /bin/true" + + This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788. + +commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb +Author: raja-grewal +Date: Thu Jul 7 09:28:30 2022 +0000 + + Update README.md + +commit f0511635a9725f79863c41a7b8d9f8a077ba8788 +Author: raja-grewal +Date: Thu Jul 7 09:27:53 2022 +0000 + + replace /bin/false -> /bin/true + +commit 18d67dbc5309a2403bece92881e671f46dc27f86 +Author: raja-grewal +Date: Thu Jul 7 09:26:55 2022 +0000 + + Blacklist more modules + +commit 1b287a6430527c762f9bf909bcda58ab52041668 +Author: Patrick Schleizer +Date: Tue Jul 5 11:16:33 2022 -0400 + + bumped changelog version + commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 Author: Patrick Schleizer Date: Tue Jul 5 11:05:36 2022 -0400 @@ -52,6 +267,12 @@ Date: Tue Jul 5 10:28:22 2022 -0400 add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` +commit e5f8004a9401727f1be2db492ea756bc19090866 +Author: Krish-sysadmin +Date: Tue Jul 5 03:37:40 2022 +0200 + + Update hide-hardware-info + commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 Author: Patrick Schleizer Date: Sat Jul 2 19:10:55 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 77c7ca1..ee79eb0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,27 @@ +security-misc (3:25.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 16 Jul 2022 12:00:16 +0000 + +security-misc (3:25.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 13 Jul 2022 12:28:34 +0000 + +security-misc (3:25.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 09 Jul 2022 15:42:24 +0000 + +security-misc (3:25.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 07 Jul 2022 21:41:13 +0000 + security-misc (3:25.0-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/security-misc.install b/debian/security-misc.install index 7445979..0d542c6 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,8 +1,9 @@ ## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This file was generated using genmkfile 'make debinstfile'. +## This file was generated using 'genmkfile debinstfile'. +bin/* etc/* lib/* usr/* diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 7f177e6..48d5b25 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,60 +1,145 @@ ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## See the following links for a community discussion and overview regarding the selections +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Disable automatic conntrack helper assignment ## https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 -# Blacklists bluetooth to reduce attack surface. -# Bluetooth also has a history of security vulnerabilities: -# -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false +## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/disabled-bluetooth-by-security-misc +install btusb /bin/disabled-bluetooth-by-security-misc -# Blacklist thunderbolt and firewire to prevent some DMA attacks. -install firewire-core /bin/false -install thunderbolt /bin/false +## Disable thunderbolt and firewire modules to prevent some DMA attacks +install thunderbolt /bin/disabled-thunderbolt-by-security-misc +install firewire-core /bin/disabled-firewire-by-security-misc +install firewire_core /bin/disabled-firewire-by-security-misc +install firewire-ohci /bin/disabled-firewire-by-security-misc +install firewire_ohci /bin/disabled-firewire-by-security-misc +install firewire_sbp2 /bin/disabled-firewire-by-security-misc +install firewire-sbp2 /bin/disabled-firewire-by-security-misc +install ohci1394 /bin/disabled-firewire-by-security-misc +install sbp2 /bin/disabled-firewire-by-security-misc +install dv1394 /bin/disabled-firewire-by-security-misc +install raw1394 /bin/disabled-firewire-by-security-misc +install video1394 /bin/disabled-firewire-by-security-misc -# Blacklist CPU MSRs as they can be abused to write to -# arbitrary memory. -install msr /bin/false +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +install msr /bin/disabled-msr-by-security-misc -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -# -# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -# -# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -# -# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -# -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false -install can /bin/false -install atm /bin/false +## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. +install dccp /bin/disabled-network-by-security-misc +install sctp /bin/disabled-network-by-security-misc +install rds /bin/disabled-network-by-security-misc +install tipc /bin/disabled-network-by-security-misc +install n-hdlc /bin/disabled-network-by-security-misc +install ax25 /bin/disabled-network-by-security-misc +install netrom /bin/disabled-network-by-security-misc +install x25 /bin/disabled-network-by-security-misc +install rose /bin/disabled-network-by-security-misc +install decnet /bin/disabled-network-by-security-misc +install econet /bin/disabled-network-by-security-misc +install af_802154 /bin/disabled-network-by-security-misc +install ipx /bin/disabled-network-by-security-misc +install appletalk /bin/disabled-network-by-security-misc +install psnap /bin/disabled-network-by-security-misc +install p8023 /bin/disabled-network-by-security-misc +install p8022 /bin/disabled-network-by-security-misc +install can /bin/disabled-network-by-security-misc +install atm /bin/disabled-network-by-security-misc -# Disable uncommon filesystems to reduce attack surface -install cramfs /bin/false -install udf /bin/false +## Disable uncommon file systems to reduce attack surface +install cramfs /bin/disabled-filesys-by-security-misc +install freevxfs /bin/disabled-filesys-by-security-misc +install jffs2 /bin/disabled-filesys-by-security-misc +install hfs /bin/disabled-filesys-by-security-misc +install hfsplus /bin/disabled-filesys-by-security-misc +install udf /bin/disabled-filesys-by-security-misc -## Blacklists the vivid kernel module as it's only required for -## testing and has been the cause of multiple vulnerabilities. -## +## Disable uncommon network file systems to reduce attack surface +install cifs /bin/disabled-netfilesys-by-security-misc +install nfs /bin/disabled-netfilesys-by-security-misc +install nfsv3 /bin/disabled-netfilesys-by-security-misc +install nfsv4 /bin/disabled-netfilesys-by-security-misc +install ksmbd /bin/disabled-netfilesys-by-security-misc +install gfs2 /bin/disabled-netfilesys-by-security-misc + +## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/false +install vivid /bin/disabled-vivid-by-security-misc + +## Disable Intel Management Engine (ME) interface with the OS +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +install mei /bin/disabled-intelme-by-security-misc +install mei-me /bin/disabled-intelme-by-security-misc + +## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +blacklist ath_pci + +## Blacklist automatic loading of miscellaneous modules +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +## Blacklist automatic loading of framebuffer drivers +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +blacklist aty128fb +blacklist atyfb +#blacklist radeonfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +#blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_bases +blacklist neofb +#blacklist nvidiafb +blacklist pm2fb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +#blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +## Disable CD-ROM devices +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +#install cdrom /bin/disabled-cdrom-by-security-misc +#install sr_mod /bin/disabled-cdrom-by-security-misc +blacklist cdrom +blacklist sr_mod diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 4d1c8ca..6719b37 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,22 +80,24 @@ do fi done -## https://www.whonix.org/wiki/Security-misc#selinux -## ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else ## SELinux userspace utilities will not function ## properly if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then ## restrict permissions on everything but ## what is needed for i in /sys/* /sys/fs/* do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" + chmod o-rwx "${i}" || true else - chmod og-rwx "${i}" + chmod og-rwx "${i}" || true fi done chmod o+rx /sys /sys/fs /sys/fs/selinux