Open MikeHorn-git opened 1 month ago
Hello, thanks for your suggestions. Many of these seem certainly very actionable.
However. given the number of modules to be disabled, it may take some time to review.
Have you tested all these settings on Kicksecure yourself to ensure none of them cause any breakages for you?
Note: Some discussion may or may not occur on the Whonix forums.
The list needs to be more readable for example:
# Digital Video Broadcasting
install dvb_core /bin/true # Core module for DVB devices : https://www.kernel.org/doc/html/v4.9/media/kapi/dtv-core.html
install dvb_usb_rtl2832u /bin/true # DVB-T USB devices with RTL2832U chipset
install dvb_usb_rtl28xxu /bin/true # DVB-T USB devices with RTL28xx chipset
install dvb_usb_v2 /bin/true # Newer DVB USB framework
install rtl2830 /bin/true # Realtek RTL2830 DVB-T receiver
install rtl2832 /bin/true # Realtek RTL2832 DVB-T receiver
install rtl2838 /bin/true # Realtek RTL2838 DVB-T receiver
# Point-to-Point Protocols
install ppp_async /bin/true # Point-to-Point Protocol for asynchronous connections
install ppp_deflate /bin/true # Compression module for PPP
install ppp_generic /bin/true # Generic PPP support
install pppoe /bin/true # PPP over Ethernet
install pppox /bin/true # PPP over various transports
install slhc /bin/true # SLIP/PPP compression and decompression
# Intel Platform Monitoring Technology Telemetry (Intel-PMT)
install pmt_class /bin/true # Platform Monitoring Telemetry (Intel)
install pmt_telemetry /bin/true # Platform Monitoring Telemetry (Intel)
Idk whats the point of some of these being disabled like DVB/DVB-T and PPP? Is it cause these are outdated (like InfiniBand and Parallel ports)?
Also SDR and Ham Radio and might be too restrictive to users in my opinion.\ Maybe even disabling parallel ports might be even tho most will use wireless or usb (serial) connection to their printer.
The disabling of Intel-PMT makes sense.
https://github.com/intel/Intel-PMT?tab=readme-ov-file#what-is-intel-pmt
Intel PMT is a standardized way of exposing telemetry through host-based and out-of-band access across client, server and companion products. collecting the information telemetry standardized OOB
Some seem extreme with no clear rationale provided. Such as:
blacklist amdgpu # Make this optionnal
blacklist iwlwifi # Intel wireless driver
Thanks for your replies. I edited the post as suggested by @souchikjoardar201. You right @adrelanos some are extreme like certain ppp, exfat/ntfs if want to be compatible with windows environment etc. @raja-grewal I gonna try this on kicksecure KVM/Vbox. I gonna make new post with results in a few days, you will see more clearly.
@MikeHorn-git\ I think the blacklist ones are extreme but as far as PPP and DVB/DVB-T and InfiniBand I'm not sure what issues these would cause if you disabled them.
What is the rational or reasoning behind those (PPP and DVB/DVB-T and InfiniBand) being disabled?\ Is there certain attacks that leverage those or is it just that they are oudated/old and and unused and could be used for attack surface?
@MikeHorn-git I think the blacklist ones are extreme but as far as PPP and DVB/DVB-T and InfiniBand I'm not sure what issues these would cause if you disabled them.
What is the rational or reasoning behind those (PPP and DVB/DVB-T and InfiniBand) being disabled? Is there certain attacks that leverage those or is it just that they are oudated/old and and unused and could be used for attack surface?
Good question, the second option. Outdated/old and could be used for attack surface. PPP seems to be the worst suggestion among others, you right about possible issues that would cause.
So I try these with a kicksecure virtualbox. No issues at the moment. What are the tests I could use for more results ?
@souchikjoardar201
Intel Platform Monitoring Technology Telemetry (Intel-PMT)
Didn't even know that was a thing?
@MikeHorn-git
Outdated/old and could be used for attack surface.
Did you have any issues when disabling DVB/DVB-T modules?
Do they have to do with anything when it comes to video?
@EclipseBazooka
Digital Video Broadcasting
install dvb_core /bin/true # Core module for DVB devices install dvb_usb_rtl2832u /bin/true # DVB-T USB devices with RTL2832U chipset install dvb_usb_rtl28xxu /bin/true # DVB-T USB devices with RTL28xx chipset install dvb_usb_v2 /bin/true # Newer DVB USB framework install rtl2830 /bin/true # Realtek RTL2830 DVB-T receiver install rtl2832 /bin/true # Realtek RTL2832 DVB-T receiver install rtl2832_sdr /bin/true # RTL2832-based SDR devices install rtl2838 /bin/true # Realtek RTL2838 DVB-T receiver
Point-to-Point Protocols
install ppp_async /bin/true # Point-to-Point Protocol for asynchronous connections install ppp_deflate /bin/true # Compression module for PPP install ppp_generic /bin/true # Generic PPP support install pppoe /bin/true # PPP over Ethernet install pppox /bin/true # PPP over various transports install slhc /bin/true # SLIP/PPP compression and decompression
Intel Platform Monitoring Technology Telemetry (Intel-PMT)
install pmt_class /bin/true # Platform Monitoring Telemetry (Intel) install pmt_telemetry /bin/true # Platform Monitoring Telemetry (Intel)
Network Drivers
install brcm80211 /bin/true # Very old Broadcom wireless driver install cfg80211 /bin/true # Wireless API for a very old Broadcom device install eepro100 /bin/true # Very old network driver install eth1394 /bin/true # Very old network driver install rtl8187 /bin/true # Realtek RTL8187 wireless LAN driver
Miscellaneous Drivers
install fddi /bin/true # Fiber Distributed Data Interface install floppy /bin/true install hamradio /bin/true # Amateur radio protocol install ib_ipoib /bin/true # InfiniBand over IP install joydev /bin/true # Joystick support install lp /bin/true # Printer support for parallel port install parport /bin/true # Parallel port support install tr /bin/true # Token Ring protocol install uvcvideo /bin/true # USB Video Class driver
FileSystem
install jfs /bin/true # IBM's Journaled File System install reiserfs /bin/true # ReiserFS filesystem install squashfs /bin/true # SquashFS filesystem
Blacklisted : Make this optional and can be loaded later
blacklist amdgpu blacklist b43 # Quite old Broadcom wireless driver blacklist exfat blacklist iwlwifi # Intel wireless driver blacklist mac80211 # Printer support for parallel port blacklist ntfs blacklist nvidia blacklist radeon blacklist usb_storage blacklist uinput # User-level input driver