diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 03d902e..422fcd0 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,17 +1,20 @@ ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## https://phabricator.whonix.org/T486 +# See the following links for a community discussion and overview regarding the selections +# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +# Blacklist automatic conntrack helper assignment +# https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 -# Blacklists bluetooth to reduce attack surface. -# Bluetooth also has a history of security vulnerabilities: -# +# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/false install btusb /bin/false -# Blacklist thunderbolt and firewire to prevent some DMA attacks. +# Blacklist thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/false install firewire-core /bin/false install firewire_core /bin/false @@ -24,11 +27,10 @@ install raw1394 /bin/false install video1394 /bin/false install firewire-sbp2 /bin/false -# Blacklist CPU MSRs as they can be abused to write to -# arbitrary memory. +# Blacklist CPU MSRs as they can be abused to write to arbitrary memory. install msr /bin/false -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. # @@ -56,7 +58,7 @@ install p8022 /bin/false install can /bin/false install atm /bin/false -# Disable uncommon file systems to reduce attack surface +# Blacklist uncommon file systems to reduce attack surface install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false @@ -64,7 +66,7 @@ install hfs /bin/false install hfsplus /bin/false install udf /bin/false -# Disable uncommon network filesystems to reduce attack surface +# Blacklist uncommon network file systems to reduce attack surface install cifs /bin/false install nfs /bin/false install nfsv3 /bin/false @@ -72,18 +74,18 @@ install nfsv4 /bin/false install ksmbd /bin/false install gfs2 /bin/false -## Blacklists the vivid kernel module as it's only required for -## testing and has been the cause of multiple vulnerabilities. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities +# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +# https://www.openwall.com/lists/oss-security/2019/11/02/1 +# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/false -# Disable CD-ROM +# Blacklist CD-ROM devices +# https://nvd.nist.gov/vuln/detail/CVE-2018-11506 install cdrom /bin/false install sr_mod /bin/false -# Disable Intel Management Engine (ME) interface with OS +# Blacklist Intel Management Engine (ME) interface with the OS +# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/false install mei-me /bin/false