Update modprobe presentation

2025-01-07 05:50:41 +07:00 · 2024-07-13 23:29:52 +10:00 · 2024-07-13 23:29:52 +10:00 · 98580bb39a
commit 98580bb39a
parent f34b9d7c45
2 changed files with 28 additions and 17 deletions
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -11,24 +11,27 @@
 ## CD-ROM/DVD:
 ## Blacklist CD-ROM and DVD modules.
 ## Do not disable by default for potential future ISO plans.
+##
 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
-#
+##
 blacklist cdrom
 blacklist sr_mod
-#
+##
 #install cdrom /usr/bin/disabled-cdrom-by-security-misc
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc

 ## Conntrack:
 ## Disable automatic conntrack helper assignment.
+##
 ## https://phabricator.whonix.org/T486
-#
+##
 options nf_conntrack nf_conntrack_helper=0

 ## Framebuffer Drivers:
+##
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
-#
+##
 blacklist aty128fb
 blacklist atyfb
 blacklist cirrusfb
@ -59,9 +62,10 @@ blacklist vt8623fb
 blacklist udlfb

 ## Miscellaneous:
+##
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
-#
+##
 blacklist ath_pci
 blacklist amd76x_edac
 blacklist asus_acpi
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@ -10,24 +10,26 @@

 ## Bluetooth:
 ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
+##
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-#
+##
 ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
-#
+##
 #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc

 ## CPU Model-Specific Registers (MSRs):
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
+##
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 ## https://github.com/Kicksecure/security-misc/issues/215
-#
+##
 #install msr /usr/bin/disabled-msr-by-security-misc

 ## File Systems:
 ## Disable uncommon file systems to reduce attack surface.
 ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
-#
+##
 install cramfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
@ -37,8 +39,9 @@ install udf /usr/bin/disabled-filesys-by-security-misc

 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
+##
 ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
-#
+##
 install dv1394 /usr/bin/disabled-firewire-by-security-misc
 install firewire-core /usr/bin/disabled-firewire-by-security-misc
 install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
@ -51,7 +54,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc

 ## Global Positioning Systems (GPS):
 ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
-#
+##
 install gnss /usr/bin/disabled-gps-by-security-misc
 install gnss-mtk /usr/bin/disabled-gps-by-security-misc
 install gnss-serial /usr/bin/disabled-gps-by-security-misc
@ -61,14 +64,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc

 ## Intel Management Engine (ME):
 ## Partially disable the Intel ME interface with the OS.
+##
 ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
-#
+##
 install mei /usr/bin/disabled-intelme-by-security-misc
 install mei-me /usr/bin/disabled-intelme-by-security-misc

 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
-#
+##
 install cifs /usr/bin/disabled-netfilesys-by-security-misc
 install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
 install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
@ -78,10 +82,11 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc

 ## Network Protocols:
 ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
+##
 ## https://tails.boum.org/blueprint/blacklist_modules/
 ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
-#
+##
 install af_802154 /usr/bin/disabled-network-by-security-misc
 install appletalk /usr/bin/disabled-network-by-security-misc
 install atm /usr/bin/disabled-network-by-security-misc
@ -103,17 +108,19 @@ install tipc /usr/bin/disabled-network-by-security-misc
 install x25 /usr/bin/disabled-network-by-security-misc

 ## Miscellaneous:
-#
+##
 ## Vivid:
 ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
+##
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-#
+##
 install vivid /usr/bin/disabled-vivid-by-security-misc

 ## Thunderbolt:
 ## Disables Thunderbolt modules to prevent some DMA attacks.
+##
 ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
-#
+##
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc