## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 # Blacklists bluetooth to reduce attack surface. # Bluetooth also has a history of security vulnerabilities: # # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/true install btusb /bin/true # Blacklist thunderbolt and firewire to prevent some DMA attacks. install thunderbolt /bin/true install firewire-core /bin/true install firewire_core /bin/true install firewire-ohci /bin/true install firewire_ohci /bin/true install ohci1394 /bin/true install sbp2 /bin/true install dv1394 /bin/true install raw1394 /bin/true install video1394 /bin/true install firewire-sbp2 /bin/true # Blacklist CPU MSRs as they can be abused to write to # arbitrary memory. install msr /bin/true # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. # # > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. # # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. # install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true install n-hdlc /bin/true install ax25 /bin/true install netrom /bin/true install x25 /bin/true install rose /bin/true install decnet /bin/true install econet /bin/true install af_802154 /bin/true install ipx /bin/true install appletalk /bin/true install psnap /bin/true install p8023 /bin/true install p8022 /bin/true install can /bin/true install atm /bin/true # Disable uncommon file systems to reduce attack surface install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install udf /bin/true # Disable uncommon network filesystems to reduce attack surface install cifs /bin/true install nfs /bin/true install nfsv3 /bin/true install nfsv4 /bin/true install ksmbd /bin/true install gfs2 /bin/true ## Blacklists the vivid kernel module as it's only required for ## testing and has been the cause of multiple vulnerabilities. ## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/true # Disable CD-ROM install cdrom /bin/true install sr_mod /bin/true # Disable Intel Management Engine (ME) interface with OS install mei /bin/true install mei-me /bin/true