mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
Merge branch 'Kicksecure:master' into kspp_compliance
This commit is contained in:
commit
9dbd200be4
70
README.md
70
README.md
@ -12,10 +12,9 @@ many more sources.
|
||||
### sysctl
|
||||
|
||||
sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
|
||||
configuration file.
|
||||
configuration file and significant hardening is applied to a myriad of components.
|
||||
|
||||
Significant hardening is applied by default to a myriad of components within kernel
|
||||
space, user space, core dumps, and swap space.
|
||||
Kernel space:
|
||||
|
||||
- Restrict access to kernel addresses through the use of kernel pointers regardless
|
||||
of user privileges.
|
||||
@ -38,7 +37,7 @@ space, user space, core dumps, and swap space.
|
||||
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||
|
||||
- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
|
||||
privilege escalation.
|
||||
privilege escalation. Optional - Disable all use of user namespaces.
|
||||
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
@ -51,6 +50,8 @@ space, user space, core dumps, and swap space.
|
||||
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
|
||||
the source of numerous kernel exploits.
|
||||
|
||||
User space:
|
||||
|
||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||
enables programs to inspect and modify other active processes. Optional - Disable
|
||||
usage of `ptrace()` by all processes.
|
||||
@ -69,12 +70,14 @@ space, user space, core dumps, and swap space.
|
||||
- Disallow registering interpreters for various (miscellaneous) binary formats based
|
||||
on a magic number or their file extension to prevent unintended code execution.
|
||||
|
||||
Core dumps:
|
||||
|
||||
- Disable core dump files and prevent their creation. If core dump files are
|
||||
enabled, they will be named based on `core.PID` instead of the default `core`.
|
||||
|
||||
- Limit the copying of potentially sensitive content in memory to the swap device.
|
||||
|
||||
Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||
Networking:
|
||||
|
||||
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
|
||||
@ -105,13 +108,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||
|
||||
- Optional - Enable IPv6 Privacy Extensions.
|
||||
|
||||
### mmap ASLR
|
||||
|
||||
- The bits of entropy used for mmap ASLR are maxed out via
|
||||
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
|
||||
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
|
||||
that the kernel was built with), therefore improving its effectiveness.
|
||||
|
||||
### Boot parameters
|
||||
|
||||
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
||||
@ -122,6 +118,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
configuration file.
|
||||
|
||||
Kernel space:
|
||||
|
||||
- Disable merging of slabs with similar size, which reduces the risk of
|
||||
triggering heap overflows and limits influencing slab cache layout.
|
||||
|
||||
@ -165,20 +163,33 @@ configuration file.
|
||||
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
|
||||
to reduce attack surface.
|
||||
|
||||
Direct memory access:
|
||||
|
||||
- Enable strict IOMMU translation to protect against some DMA attacks via the use
|
||||
of both CPU manufacturer-specific drivers and kernel settings.
|
||||
|
||||
- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
|
||||
DMA before the IOMMU is configured. May cause boot failure on certain hardware.
|
||||
|
||||
Entropy:
|
||||
|
||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||
maximize the absolute quantity of entropy in the combined pool.
|
||||
|
||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||
being initialized.
|
||||
|
||||
Networking:
|
||||
|
||||
- Optional - Disable the entire IPv6 stack to reduce attack surface.
|
||||
|
||||
### mmap ASLR
|
||||
|
||||
- The bits of entropy used for mmap ASLR are maxed out via
|
||||
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
|
||||
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
|
||||
that the kernel was built with), therefore improving its effectiveness.
|
||||
|
||||
### Kernel Modules
|
||||
|
||||
#### Kernel Module Signature Verification
|
||||
@ -224,17 +235,12 @@ modules from starting. This approach should not be considered comprehensive;
|
||||
rather, it is a form of badness enumeration. Any potential candidates for future
|
||||
disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
Hardware modules:
|
||||
|
||||
- Optional - Bluetooth: Disabled to reduce attack surface.
|
||||
|
||||
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
||||
Satellite Systems (GNSS).
|
||||
|
||||
@ -245,20 +251,38 @@ disabling should first be blacklisted for a suitable amount of time.
|
||||
- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
|
||||
of the Intel PMT components.
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
File system modules:
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||
|
||||
Networking modules:
|
||||
|
||||
- Network Protocols: A wide array of uncommon and legacy network protocols and drivers
|
||||
are disabled.
|
||||
|
||||
- Miscellaneous: Disable an assortment of other modules such as those required
|
||||
for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
|
||||
have been entirely replaced by newer drivers.
|
||||
Miscellaneous modules:
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
- Amateur Radios: Disabled to reduce attack surface.
|
||||
|
||||
- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
|
||||
|
||||
- Floppy Disks: Disabled to reduce attack surface.
|
||||
|
||||
- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
- Replaced Modules: Disabled legacy drivers that have been entirely replaced and
|
||||
superseded by newer drivers.
|
||||
|
||||
- Optional - USB Video Device Class: Disables the USB-based video streaming driver for
|
||||
devices like some webcams and digital camcorders.
|
||||
|
||||
- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
|
||||
|
||||
### Other
|
||||
|
||||
- A systemd service clears the System.map file on boot as these contain kernel
|
||||
|
@ -1,3 +1,93 @@
|
||||
commit 500568e322b2e3623fc649209d671c7b9d9fa097
|
||||
Merge: 43d13b7 73900b5
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Sun Aug 25 11:01:58 2024 -0400
|
||||
|
||||
Merge remote-tracking branch 'github-kicksecure/master'
|
||||
|
||||
commit 73900b59db37d77bc24bd5088aae3cc760aacc69
|
||||
Merge: 43d13b7 1f51d4e
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Sun Aug 25 11:00:51 2024 -0400
|
||||
|
||||
Merge pull request #263 from raja-grewal/max_user_namespaces
|
||||
|
||||
Provide option to disable user namespaces
|
||||
|
||||
commit 43d13b70f12d2198a800054ce4d1ff901cc474f9
|
||||
Merge: 8353764 fae586c
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Sun Aug 25 10:55:52 2024 -0400
|
||||
|
||||
Merge remote-tracking branch 'raja/syntax'
|
||||
|
||||
commit 835376418d616699023f8e638666f43d34241863
|
||||
Merge: ae85fd5 342caf8
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Sun Aug 25 10:48:25 2024 -0400
|
||||
|
||||
Merge remote-tracking branch 'raja/mod'
|
||||
|
||||
commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Sun Aug 25 14:33:40 2024 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 433b15f985545f531b87d09659bbbb89993b5a67
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Wed Aug 21 12:51:51 2024 +1000
|
||||
|
||||
README.md: Organise `sysctl`s
|
||||
|
||||
commit af87a84b4f40b2ad9ac05dd9bce837665f239454
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Wed Aug 21 12:52:48 2024 +1000
|
||||
|
||||
README.md: Organise kernel boot parameters
|
||||
|
||||
commit 342caf82b20acc2931563449fafe9a98cbedaba2
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Wed Aug 21 12:52:48 2024 +1000
|
||||
|
||||
README.md: Organise kernel boot parameters
|
||||
|
||||
commit b87a18d4050bbf2add5cc4920684876a440e65bb
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Wed Aug 21 12:51:51 2024 +1000
|
||||
|
||||
README.md: Organise `sysctl`s
|
||||
|
||||
commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Wed Aug 21 12:50:14 2024 +1000
|
||||
|
||||
Refactor modprobe.d to minimise potential future merge conflicts
|
||||
|
||||
commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Sun Aug 18 13:53:11 2024 +1000
|
||||
|
||||
Add details on user namespaces
|
||||
|
||||
commit 759aee8150a2d1258d73217c071b25432d47496f
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Fri Aug 16 22:54:57 2024 +1000
|
||||
|
||||
Provide option to disable user namespaces
|
||||
|
||||
commit fae586c3c5e8382ca01c60f810b26d88189a5514
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Fri Aug 16 19:23:48 2024 +1000
|
||||
|
||||
Patch bug in existing `rp_filter` `sysctl`
|
||||
|
||||
commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
Date: Fri Aug 16 08:38:12 2024 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b
|
||||
Merge: 12296c6 305467c
|
||||
Author: Patrick Schleizer <adrelanos@whonix.org>
|
||||
@ -70,6 +160,12 @@ Date: Fri Aug 16 13:12:07 2024 +1000
|
||||
|
||||
Typos
|
||||
|
||||
commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Fri Aug 16 12:46:51 2024 +1000
|
||||
|
||||
Simplify syntax of some network-related `sysctl`'s
|
||||
|
||||
commit e3a3207a4447568a17129afe9dde34debc465e21
|
||||
Author: Raja Grewal <rg_public@proton.me>
|
||||
Date: Fri Aug 16 12:41:36 2024 +1000
|
||||
|
12
debian/changelog
vendored
12
debian/changelog
vendored
@ -1,3 +1,15 @@
|
||||
security-misc (3:39.2-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Sun, 25 Aug 2024 15:34:54 +0000
|
||||
|
||||
security-misc (3:39.1-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@whonix.org> Sun, 25 Aug 2024 14:33:39 +0000
|
||||
|
||||
security-misc (3:39.0-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
@ -22,7 +22,7 @@ blacklist sr_mod
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
|
||||
## Miscellaneous:
|
||||
##
|
||||
|
||||
## GrapheneOS:
|
||||
## Partial selection of their infrastructure blacklist.
|
||||
## Duplicate and already disabled modules have been omitted.
|
||||
@ -39,7 +39,7 @@ blacklist snd_intel8x0
|
||||
#blacklist tls
|
||||
#blacklist virtio_balloon
|
||||
#blacklist virtio_console
|
||||
##
|
||||
|
||||
## Ubuntu:
|
||||
## Already disabled modules have been omitted.
|
||||
##
|
||||
|
@ -8,6 +8,14 @@
|
||||
## Blacklisting prevents kernel modules from automatically starting.
|
||||
## Disabling prohibits kernel modules from starting.
|
||||
|
||||
## This configuration file is split into 4 sections:
|
||||
## 1. Hardware
|
||||
## 2. File Systems
|
||||
## 3. Networking
|
||||
## 4. Miscellaneous
|
||||
|
||||
## 1. Hardware:
|
||||
|
||||
## Bluetooth:
|
||||
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
|
||||
##
|
||||
@ -34,27 +42,6 @@
|
||||
#install btusb /usr/bin/disabled-bluetooth-by-security-misc
|
||||
#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
|
||||
|
||||
## CPU Model-Specific Registers (MSRs):
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
##
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
## https://github.com/Kicksecure/security-misc/issues/215
|
||||
##
|
||||
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
|
||||
##
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install jfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install reiserfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## FireWire (IEEE 1394):
|
||||
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
|
||||
##
|
||||
@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install video1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
|
||||
## Framebuffer (fbdev):
|
||||
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
|
||||
## These were all previously blacklisted.
|
||||
##
|
||||
## https://docs.kernel.org/fb/index.html
|
||||
## https://en.wikipedia.org/wiki/Linux_framebuffer
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
##
|
||||
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install neofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install viafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
|
||||
## Global Positioning Systems (GPS):
|
||||
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
|
||||
##
|
||||
@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
|
||||
install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
|
||||
install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
|
||||
|
||||
## Thunderbolt:
|
||||
## Disables Thunderbolt modules to prevent some DMA attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
|
||||
##
|
||||
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
|
||||
## 2. File Systems:
|
||||
|
||||
## File Systems:
|
||||
## Disable uncommon file systems to reduce attack surface.
|
||||
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
|
||||
##
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install jfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install reiserfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## Network File Systems:
|
||||
## Disable uncommon network file systems to reduce attack surface.
|
||||
##
|
||||
@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
|
||||
## 2. Networking:
|
||||
|
||||
## Network Protocols:
|
||||
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
|
||||
## Previously had blacklisted eepro100 and eth1394.
|
||||
@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
|
||||
install sctp /usr/bin/disabled-network-by-security-misc
|
||||
install sctp_diag /usr/bin/disabled-network-by-security-misc
|
||||
|
||||
## Miscellaneous:
|
||||
##
|
||||
## 4. Miscellaneous:
|
||||
|
||||
## Amateur Radios:
|
||||
##
|
||||
install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## CPU Model-Specific Registers (MSRs):
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
##
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
## https://github.com/Kicksecure/security-misc/issues/215
|
||||
##
|
||||
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Floppy Disks:
|
||||
##
|
||||
install floppy /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Framebuffer (fbdev):
|
||||
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
|
||||
## These were all previously blacklisted.
|
||||
##
|
||||
## Replaced:
|
||||
## https://docs.kernel.org/fb/index.html
|
||||
## https://en.wikipedia.org/wiki/Linux_framebuffer
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
|
||||
##
|
||||
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install neofb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install viafb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
|
||||
|
||||
## Replaced Modules:
|
||||
## These legacy drivers have all been entirely replaced and superseded by newer drivers.
|
||||
## These were all previously blacklisted.
|
||||
##
|
||||
@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## USB Video Device Class:
|
||||
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
|
||||
##
|
||||
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Vivid:
|
||||
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
|
||||
##
|
||||
@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
##
|
||||
install vivid /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
||||
## Thunderbolt:
|
||||
## Disables Thunderbolt modules to prevent some DMA attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
|
||||
##
|
||||
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
|
||||
## USB Video Device Class:
|
||||
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
|
||||
##
|
||||
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
|
||||
|
@ -114,11 +114,20 @@ kernel.sysrq=0
|
||||
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Restricting may lead to breakages in numerous software packages.
|
||||
## Uncomment the second sysctl to entirely disable user namespaces.
|
||||
## Disabling entirely will reduce compatibility with some AppArmor profiles.
|
||||
##
|
||||
## https://lwn.net/Articles/673597/
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
|
||||
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
|
||||
## https://github.com/Kicksecure/security-misc/pull/263
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the stricter sysctl user.max_user_namespaces=0.
|
||||
##
|
||||
kernel.unprivileged_userns_clone=0
|
||||
#user.max_user_namespaces=0
|
||||
|
||||
## Restricts kernel profiling to users with CAP_PERFMON.
|
||||
## The performance events system should not be accessible by unprivileged users.
|
||||
@ -353,13 +362,15 @@ net.ipv4.tcp_rfc1337=1
|
||||
|
||||
## Enable reverse path filtering (source validation) of packets received from all interfaces.
|
||||
## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
|
||||
## The second "default" command fixes a bug in the existing kernel implementation.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/IP_address_spoofing
|
||||
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
|
||||
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
||||
## https://seclists.org/oss-sec/2019/q4/122
|
||||
## https://github.com/Kicksecure/security-misc/pull/261
|
||||
##
|
||||
net.ipv4.conf.all.rp_filter=1
|
||||
net.ipv4.conf.*.rp_filter=1
|
||||
net.ipv4.conf.default.rp_filter=1
|
||||
|
||||
## Disable ICMP redirect acceptance and redirect sending messages.
|
||||
@ -373,14 +384,10 @@ net.ipv4.conf.default.rp_filter=1
|
||||
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
|
||||
## https://github.com/Kicksecure/security-misc/pull/248
|
||||
##
|
||||
net.ipv4.conf.all.accept_redirects=0
|
||||
net.ipv4.conf.default.accept_redirects=0
|
||||
net.ipv4.conf.all.send_redirects=0
|
||||
net.ipv4.conf.default.send_redirects=0
|
||||
net.ipv6.conf.all.accept_redirects=0
|
||||
net.ipv6.conf.default.accept_redirects=0
|
||||
#net.ipv4.conf.all.secure_redirects=1
|
||||
#net.ipv4.conf.default.secure_redirects=1
|
||||
net.ipv4.conf.*.accept_redirects=0
|
||||
net.ipv4.conf.*.send_redirects=0
|
||||
net.ipv6.conf.*.accept_redirects=0
|
||||
#net.ipv4.conf.*.secure_redirects=1
|
||||
|
||||
## Ignore ICMP echo requests.
|
||||
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
||||
@ -400,15 +407,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
|
||||
##
|
||||
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
|
||||
##
|
||||
net.ipv4.conf.all.accept_source_route=0
|
||||
net.ipv4.conf.default.accept_source_route=0
|
||||
net.ipv6.conf.all.accept_source_route=0
|
||||
net.ipv6.conf.default.accept_source_route=0
|
||||
net.ipv4.conf.*.accept_source_route=0
|
||||
net.ipv6.conf.*.accept_source_route=0
|
||||
|
||||
## Do not accept IPv6 router advertisements and solicitations.
|
||||
##
|
||||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
net.ipv6.conf.*.accept_ra=0
|
||||
|
||||
## Disable SACK and DSACK.
|
||||
## Select acknowledgements (SACKs) are a known common vector of exploitation.
|
||||
@ -451,8 +455,7 @@ net.ipv4.tcp_timestamps=0
|
||||
##
|
||||
## The logging of martian packets is currently disabled.
|
||||
##
|
||||
#net.ipv4.conf.all.log_martians=1
|
||||
#net.ipv4.conf.default.log_martians=1
|
||||
#net.ipv4.conf.*.log_martians=1
|
||||
|
||||
## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
|
||||
## The temporary/privacy address is used as the source for all outgoing traffic.
|
||||
@ -468,5 +471,4 @@ net.ipv4.tcp_timestamps=0
|
||||
##
|
||||
## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
|
||||
##
|
||||
#net.ipv6.conf.all.use_tempaddr=2
|
||||
#net.ipv6.conf.default.use_tempaddr=2
|
||||
#net.ipv6.conf.*.use_tempaddr=2
|
||||
|
Loading…
Reference in New Issue
Block a user