What problem kernel modules do you blacklist?
DCCP, a rarely used network protocol installed in most distros has caused many vulnerabilities:
CVE-2007-1730, CVE-2007-1734, CVE-2008-2358, CVE-2008-3276, CVE-2011-1093, CVE-2011-1770, CVE-2012-6541, CVE-2013-1827, CVE-2014-8160, CVE-2014-2523
the most recent CVE-2017-6074, has a local root proof of concept github.com
echo>> /etc/modprobe.d/disable-dccp.conf install dccp false
What else should I blacklist?
Other urls found in this thread:
github.com
openwall.com
twitter.com
unironically, install gentoo or compile your own kernel, keep all the unneeded bullshit out
These uncommon network protocols are often recommened to be blaclisted in hardening guides
tipc
dccp
sctp
rds
who even uses those protocols? Why are they still in the mainline kernel?
The same reason they're in the NT kernel.
None, I built my own kernel and removed everything I don't need. As a result I went from taking 10 seconds to boot to 7.
thanks, I was gonna go sperg out about this but your post reminded me how pointless it would be.
So you recompile your kernel everytime a new update coems out? Seems like a lot of work.
Another 11 year old local privilege esclation bug in linux
All the ones that don't autoload on boot
echo 1 > /proc/sys/kernel/modules_disabled
github.com
Can that exploit be trigged without user namespaces? Debian has unprivileged namespaces disabled by default.
i am compiling kernel... only modules i need... install gentoo
I am compiling kernel...only modules I need... only modules that are under a free license....
Install gentoo
I can't do this luxury thanks to broadscum.
Nah, I don't stay on bleeding edge, I update when I'm bored or a major security vulnerability is found, either way all I need to do is copy my config, set any new settings that are available and let it compile.
Wouldn't that cause issues if you actually use "Linux on the Desktop"
I'm guessing companies who refuse to put down their 80386 servers?
Hardening and defense in depth is a waste of time. It's rare for someone to use a 0day against regular people. If someone wants you bad enough, they'll find a vulnerability in whatever you use
Just keep everything up to date. These vulnerabilities are only an issue after they disclosed.
compile you own kernel, for example gentoo's default kernel sources have majority of things disabled... you just enable things you need and thats it... compilation takes 4-5 mins everytime i am upgrading to newer kernel version
Compiling the Linux kernel actually is pretty fast. Try to compile firefox, I still don't know if it's possible at all.
i have compiled palemoon myself one time, it took about one and half hour on q6600 cpu... for firefox you need to have bunch of RAM
Top 4 longest turds to compile on Gentoo:
1. LibreOffice
2. Firefox
3. Webkit
4. Qt
Came to post this. If you know what your hardware needs, configuring a kernel is a one-time affair and solves exactly this problem.
And they say C++'s shitty compile times don't matter.
LLVM deserves a mention, I need that thing for my graphics card and holy shit do I love waiting for 1300 C++ files.
They are not in the Windows 10 kernel. :)
C++'s compile times don't matter when it's possible to farm out the process to many machines.
openwall.com
Another uneeded module
Linux kernel: CVE-2017-2636: local privilege escalation flaw in n_hdlc
echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf
$ grep HDLC config-4.10.1-gentoo # CONFIG_N_HDLC is not set
So you read hundreds of CVEs every 2 months to see if you're affected or not? Seems like a lot of work.
I preload a handful that I actually need on occasion but once you figure those out it's not too bad to maintain.
You just don't even understand why what you just said is fucking retarded, do you?
Good argument
*linux. Why? Red-Hatted to hell and back.
Is this Generation Libtard's version of xptweaks.com?