mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-02-24 21:57:55 +07:00
90 lines
2.9 KiB
Plaintext
90 lines
2.9 KiB
Plaintext
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## https://phabricator.whonix.org/T486
|
|
options nf_conntrack nf_conntrack_helper=0
|
|
|
|
# Blacklists bluetooth to reduce attack surface.
|
|
# Bluetooth also has a history of security vulnerabilities:
|
|
#
|
|
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
|
install bluetooth /bin/true
|
|
install btusb /bin/true
|
|
|
|
# Blacklist thunderbolt and firewire to prevent some DMA attacks.
|
|
install thunderbolt /bin/true
|
|
install firewire-core /bin/true
|
|
install firewire_core /bin/true
|
|
install firewire-ohci /bin/true
|
|
install firewire_ohci /bin/true
|
|
install ohci1394 /bin/true
|
|
install sbp2 /bin/true
|
|
install dv1394 /bin/true
|
|
install raw1394 /bin/true
|
|
install video1394 /bin/true
|
|
install firewire-sbp2 /bin/true
|
|
|
|
# Blacklist CPU MSRs as they can be abused to write to
|
|
# arbitrary memory.
|
|
install msr /bin/true
|
|
|
|
# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
|
|
#
|
|
# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
|
|
#
|
|
# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
|
|
#
|
|
# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
|
|
#
|
|
install dccp /bin/true
|
|
install sctp /bin/true
|
|
install rds /bin/true
|
|
install tipc /bin/true
|
|
install n-hdlc /bin/true
|
|
install ax25 /bin/true
|
|
install netrom /bin/true
|
|
install x25 /bin/true
|
|
install rose /bin/true
|
|
install decnet /bin/true
|
|
install econet /bin/true
|
|
install af_802154 /bin/true
|
|
install ipx /bin/true
|
|
install appletalk /bin/true
|
|
install psnap /bin/true
|
|
install p8023 /bin/true
|
|
install p8022 /bin/true
|
|
install can /bin/true
|
|
install atm /bin/true
|
|
|
|
# Disable uncommon file systems to reduce attack surface
|
|
install cramfs /bin/true
|
|
install freevxfs /bin/true
|
|
install jffs2 /bin/true
|
|
install hfs /bin/true
|
|
install hfsplus /bin/true
|
|
install udf /bin/true
|
|
|
|
# Disable uncommon network filesystems to reduce attack surface
|
|
install cifs /bin/true
|
|
install nfs /bin/true
|
|
install nfsv3 /bin/true
|
|
install nfsv4 /bin/true
|
|
install ksmbd /bin/true
|
|
install gfs2 /bin/true
|
|
|
|
## Blacklists the vivid kernel module as it's only required for
|
|
## testing and has been the cause of multiple vulnerabilities.
|
|
##
|
|
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
|
## https://www.openwall.com/lists/oss-security/2019/11/02/1
|
|
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
|
install vivid /bin/true
|
|
|
|
# Disable CD-ROM
|
|
install cdrom /bin/true
|
|
install sr_mod /bin/true
|
|
|
|
# Disable Intel Management Engine (ME) interface with OS
|
|
install mei /bin/true
|
|
install mei-me /bin/true
|