search

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
https://www.kicksecure.com/wiki/Impressum
Other
479 stars 51 forks source link

Suggestions for kernel modules blacklisted in /etc/modprobe.d/30_security-misc.conf #224

Open MikeHorn-git opened 1 month ago

MikeHorn-git commented 1 month ago

Digital Video Broadcasting

install dvb_core /bin/true # Core module for DVB devices install dvb_usb_rtl2832u /bin/true # DVB-T USB devices with RTL2832U chipset install dvb_usb_rtl28xxu /bin/true # DVB-T USB devices with RTL28xx chipset install dvb_usb_v2 /bin/true # Newer DVB USB framework install rtl2830 /bin/true # Realtek RTL2830 DVB-T receiver install rtl2832 /bin/true # Realtek RTL2832 DVB-T receiver install rtl2832_sdr /bin/true # RTL2832-based SDR devices install rtl2838 /bin/true # Realtek RTL2838 DVB-T receiver

Point-to-Point Protocols

install ppp_async /bin/true # Point-to-Point Protocol for asynchronous connections install ppp_deflate /bin/true # Compression module for PPP install ppp_generic /bin/true # Generic PPP support install pppoe /bin/true # PPP over Ethernet install pppox /bin/true # PPP over various transports install slhc /bin/true # SLIP/PPP compression and decompression

Intel Platform Monitoring Technology Telemetry (Intel-PMT)

install pmt_class /bin/true # Platform Monitoring Telemetry (Intel) install pmt_telemetry /bin/true # Platform Monitoring Telemetry (Intel)

Network Drivers

install brcm80211 /bin/true # Very old Broadcom wireless driver install cfg80211 /bin/true # Wireless API for a very old Broadcom device install eepro100 /bin/true # Very old network driver install eth1394 /bin/true # Very old network driver install rtl8187 /bin/true # Realtek RTL8187 wireless LAN driver

Miscellaneous Drivers

install fddi /bin/true # Fiber Distributed Data Interface install floppy /bin/true install hamradio /bin/true # Amateur radio protocol install ib_ipoib /bin/true # InfiniBand over IP install joydev /bin/true # Joystick support install lp /bin/true # Printer support for parallel port install parport /bin/true # Parallel port support install tr /bin/true # Token Ring protocol install uvcvideo /bin/true # USB Video Class driver

FileSystem

install jfs /bin/true # IBM's Journaled File System install reiserfs /bin/true # ReiserFS filesystem install squashfs /bin/true # SquashFS filesystem

Blacklisted : Make this optional and can be loaded later

blacklist amdgpu blacklist b43 # Quite old Broadcom wireless driver blacklist exfat blacklist iwlwifi # Intel wireless driver blacklist mac80211 # Printer support for parallel port blacklist ntfs blacklist nvidia blacklist radeon blacklist usb_storage blacklist uinput # User-level input driver

raja-grewal commented 1 month ago

Hello, thanks for your suggestions. Many of these seem certainly very actionable.

However. given the number of modules to be disabled, it may take some time to review.

Have you tested all these settings on Kicksecure yourself to ensure none of them cause any breakages for you?

Note: Some discussion may or may not occur on the Whonix forums.

souchikjoardar201 commented 1 month ago

The list needs to be more readable for example:

# Digital Video Broadcasting
install dvb_core /bin/true # Core module for DVB devices : https://www.kernel.org/doc/html/v4.9/media/kapi/dtv-core.html
install dvb_usb_rtl2832u /bin/true # DVB-T USB devices with RTL2832U chipset
install dvb_usb_rtl28xxu /bin/true # DVB-T USB devices with RTL28xx chipset
install dvb_usb_v2 /bin/true # Newer DVB USB framework
install rtl2830 /bin/true # Realtek RTL2830 DVB-T receiver
install rtl2832 /bin/true # Realtek RTL2832 DVB-T receiver
install rtl2838 /bin/true # Realtek RTL2838 DVB-T receiver

# Point-to-Point Protocols
install ppp_async /bin/true # Point-to-Point Protocol for asynchronous connections
install ppp_deflate /bin/true # Compression module for PPP
install ppp_generic /bin/true # Generic PPP support
install pppoe /bin/true # PPP over Ethernet
install pppox /bin/true # PPP over various transports
install slhc /bin/true # SLIP/PPP compression and decompression

# Intel Platform Monitoring Technology Telemetry (Intel-PMT)
install pmt_class /bin/true # Platform Monitoring Telemetry (Intel)
install pmt_telemetry /bin/true # Platform Monitoring Telemetry (Intel)

Idk whats the point of some of these being disabled like DVB/DVB-T and PPP? Is it cause these are outdated (like InfiniBand and Parallel ports)?

Also SDR and Ham Radio and might be too restrictive to users in my opinion.\ Maybe even disabling parallel ports might be even tho most will use wireless or usb (serial) connection to their printer.

The disabling of Intel-PMT makes sense.

https://github.com/intel/Intel-PMT?tab=readme-ov-file#what-is-intel-pmt

Intel PMT is a standardized way of exposing telemetry through host-based and out-of-band access across client, server and companion products. collecting the information telemetry standardized OOB

adrelanos commented 1 month ago

Some seem extreme with no clear rationale provided. Such as:

blacklist amdgpu # Make this optionnal

blacklist iwlwifi # Intel wireless driver

MikeHorn-git commented 1 month ago

Thanks for your replies. I edited the post as suggested by @souchikjoardar201. You right @adrelanos some are extreme like certain ppp, exfat/ntfs if want to be compatible with windows environment etc. @raja-grewal I gonna try this on kicksecure KVM/Vbox. I gonna make new post with results in a few days, you will see more clearly.

souchikjoardar201 commented 4 weeks ago

@MikeHorn-git\ I think the blacklist ones are extreme but as far as PPP and DVB/DVB-T and InfiniBand I'm not sure what issues these would cause if you disabled them.

What is the rational or reasoning behind those (PPP and DVB/DVB-T and InfiniBand) being disabled?\ Is there certain attacks that leverage those or is it just that they are oudated/old and and unused and could be used for attack surface?

MikeHorn-git commented 3 weeks ago

@MikeHorn-git I think the blacklist ones are extreme but as far as PPP and DVB/DVB-T and InfiniBand I'm not sure what issues these would cause if you disabled them.

What is the rational or reasoning behind those (PPP and DVB/DVB-T and InfiniBand) being disabled? Is there certain attacks that leverage those or is it just that they are oudated/old and and unused and could be used for attack surface?

Good question, the second option. Outdated/old and could be used for attack surface. PPP seems to be the worst suggestion among others, you right about possible issues that would cause.

So I try these with a kicksecure virtualbox. No issues at the moment. What are the tests I could use for more results ?

EclipseBazooka commented 3 weeks ago

@souchikjoardar201

Intel Platform Monitoring Technology Telemetry (Intel-PMT)

Didn't even know that was a thing?

@MikeHorn-git

Outdated/old and could be used for attack surface.

Did you have any issues when disabling DVB/DVB-T modules?

Do they have to do with anything when it comes to video?

MikeHorn-git commented 2 weeks ago

@EclipseBazooka