From 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 10 Jul 2022 04:52:00 +1000 Subject: [PATCH] =?UTF-8?q?Incorporated=20Ubuntu=E2=80=99s=20kernel=20modu?= =?UTF-8?q?le=20blacklists?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- etc/modprobe.d/30_security-misc.conf | 76 ++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 11 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 42da9b5..2b6894a 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -5,32 +5,33 @@ # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules -# Blacklist automatic conntrack helper assignment +# Disable automatic conntrack helper assignment # https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 -# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities +# Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/disabled-by-security-misc install btusb /bin/disabled-by-security-misc -# Blacklist thunderbolt and firewire modules to prevent some DMA attacks +# Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/disabled-by-security-misc install firewire-core /bin/disabled-by-security-misc install firewire_core /bin/disabled-by-security-misc install firewire-ohci /bin/disabled-by-security-misc install firewire_ohci /bin/disabled-by-security-misc +install firewire_sbp2 /bin/disabled-by-security-misc +install firewire-sbp2 /bin/disabled-by-security-misc install ohci1394 /bin/disabled-by-security-misc install sbp2 /bin/disabled-by-security-misc install dv1394 /bin/disabled-by-security-misc install raw1394 /bin/disabled-by-security-misc install video1394 /bin/disabled-by-security-misc -install firewire-sbp2 /bin/disabled-by-security-misc -# Blacklist CPU MSRs as they can be abused to write to arbitrary memory. +# Disable CPU MSRs as they can be abused to write to arbitrary memory. install msr /bin/disabled-by-security-misc -# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. # @@ -58,7 +59,7 @@ install p8022 /bin/disabled-by-security-misc install can /bin/disabled-by-security-misc install atm /bin/disabled-by-security-misc -# Blacklist uncommon file systems to reduce attack surface +# Disable uncommon file systems to reduce attack surface install cramfs /bin/disabled-by-security-misc install freevxfs /bin/disabled-by-security-misc install jffs2 /bin/disabled-by-security-misc @@ -66,7 +67,7 @@ install hfs /bin/disabled-by-security-misc install hfsplus /bin/disabled-by-security-misc install udf /bin/disabled-by-security-misc -# Blacklist uncommon network file systems to reduce attack surface +# Disable uncommon network file systems to reduce attack surface install cifs /bin/disabled-by-security-misc install nfs /bin/disabled-by-security-misc install nfsv3 /bin/disabled-by-security-misc @@ -74,18 +75,71 @@ install nfsv4 /bin/disabled-by-security-misc install ksmbd /bin/disabled-by-security-misc install gfs2 /bin/disabled-by-security-misc -# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities +# Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities # https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 # https://www.openwall.com/lists/oss-security/2019/11/02/1 # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/disabled-by-security-misc -# Blacklist Intel Management Engine (ME) interface with the OS +# Disable Intel Management Engine (ME) interface with the OS # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/disabled-by-security-misc install mei-me /bin/disabled-by-security-misc -# Blacklist CD-ROM devices +# Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver +# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +blacklist ath_pci + +# Blacklist automatic loading of miscellaneous modules +# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +# Blacklist automatic loading of framebuffer drivers +# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +blacklist aty128fb +blacklist atyfb +# blacklist radeonfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +# blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_base +blacklist neofb +# blacklist nvidiafb +blacklist pm2fb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +# blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +# Disable CD-ROM devices # https://nvd.nist.gov/vuln/detail/CVE-2018-11506 # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 #install cdrom /bin/disabled-by-security-misc