diff --git a/README.md b/README.md index 9e3cbaf..6e19e2f 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,10 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +- Optional - Bluetooth: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + - File Systems: Disable uncommon and legacy file systems. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. @@ -207,21 +211,26 @@ disabling should first be blacklisted for a suitable amount of time. - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). -- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 +- Optional - Intel Management Engine (ME): Provides some disabling of the interface + between the Intel ME and the OS. May lead to breakages in places such as security, + power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality of the Intel PMT components. - Network File Systems: Disable uncommon and legacy network file systems. -- Network Protocols: A wide array of uncommon and legacy network protocols are disabled. +- Network Protocols: A wide array of uncommon and legacy network protocols and drivers + are disabled. - Miscellaneous: Disable an assortment of other modules such as those required for amateur radio, floppy disks, and vivid. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Optional - USB Video Device Class: Disables the USB-based video streaming driver for + devices like some webcams and digital camcorders. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 426a0e6..d2408af 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -14,6 +14,7 @@ ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc @@ -43,7 +44,7 @@ ## File Systems: ## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc @@ -82,13 +83,14 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. -## ME functionality has increasing become more intertwined with basic system operation. -## Disabling may lead to breakages places such as security, power management, display, and DRM. +## ME functionality has increasing become more intertwined with basic Intel system operation. +## Disabling may lead to breakages in places such as security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 +## https://github.com/Kicksecure/security-misc/issues/239 ## #install mei /usr/bin/disabled-intelme-by-security-misc #install mei-gsc /usr/bin/disabled-intelme-by-security-misc @@ -219,11 +221,6 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## -## USB Video Device Class: -## Disables USB-based video streaming driver for devices like webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc -## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -241,3 +238,8 @@ install vivid /usr/bin/disabled-miscellaneous-by-security-misc install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc