diff options
Diffstat (limited to 'etc/disable-common.inc')
-rw-r--r-- | etc/disable-common.inc | 88 |
1 files changed, 78 insertions, 10 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b1133f28f..0dad8b385 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,6 +1,7 @@ | |||
1 | # History files in $HOME | 1 | # History files in $HOME |
2 | blacklist-nolog ${HOME}/.history | 2 | blacklist-nolog ${HOME}/.history |
3 | blacklist-nolog ${HOME}/.*_history | 3 | blacklist-nolog ${HOME}/.*_history |
4 | blacklist-nolog ${HOME}/.bash_history | ||
4 | blacklist ${HOME}/.local/share/systemd | 5 | blacklist ${HOME}/.local/share/systemd |
5 | blacklist-nolog ${HOME}/.adobe | 6 | blacklist-nolog ${HOME}/.adobe |
6 | blacklist-nolog ${HOME}/.macromedia | 7 | blacklist-nolog ${HOME}/.macromedia |
@@ -14,21 +15,34 @@ blacklist /etc/xdg/autostart | |||
14 | blacklist ${HOME}/.kde4/Autostart | 15 | blacklist ${HOME}/.kde4/Autostart |
15 | blacklist ${HOME}/.kde4/share/autostart | 16 | blacklist ${HOME}/.kde4/share/autostart |
16 | blacklist ${HOME}/.kde/Autostart | 17 | blacklist ${HOME}/.kde/Autostart |
18 | blacklist ${HOME}/.kde/share/autostart | ||
17 | blacklist ${HOME}/.config/plasma-workspace/shutdown | 19 | blacklist ${HOME}/.config/plasma-workspace/shutdown |
18 | blacklist ${HOME}/.config/plasma-workspace/env | 20 | blacklist ${HOME}/.config/plasma-workspace/env |
19 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 21 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
20 | blacklist ${HOME}/.fluxbox/startup | 22 | blacklist ${HOME}/.fluxbox/startup |
21 | blacklist ${HOME}/.config/openbox/autostart | 23 | blacklist ${HOME}/.config/openbox/autostart |
22 | blacklist ${HOME}/.config/openbox/environment | 24 | blacklist ${HOME}/.config/openbox/environment |
25 | blacklist ${HOME}/.gnomerc | ||
26 | blacklist /etc/X11/Xsession.d/ | ||
27 | blacklist ${HOME}/.xpra | ||
23 | 28 | ||
24 | # VirtualBox | 29 | # VirtualBox |
25 | blacklist ${HOME}/.VirtualBox | 30 | blacklist ${HOME}/.VirtualBox |
26 | blacklist ${HOME}/VirtualBox VMs | 31 | blacklist ${HOME}/VirtualBox VMs |
27 | blacklist ${HOME}/.config/VirtualBox | 32 | blacklist ${HOME}/.config/VirtualBox |
28 | 33 | ||
34 | # VeraCrypt | ||
35 | blacklist ${PATH}/veracrypt | ||
36 | blacklist ${PATH}/veracrypt-uninstall.sh | ||
37 | blacklist /usr/share/veracrypt | ||
38 | blacklist /usr/share/applications/veracrypt.* | ||
39 | blacklist /usr/share/pixmaps/veracrypt.* | ||
40 | blacklist ${HOME}/.VeraCrypt | ||
41 | |||
29 | # var | 42 | # var |
30 | blacklist /var/spool/cron | 43 | blacklist /var/spool/cron |
31 | blacklist /var/spool/anacron | 44 | blacklist /var/spool/anacron |
45 | blacklist /var/mail | ||
32 | blacklist /var/run/acpid.socket | 46 | blacklist /var/run/acpid.socket |
33 | blacklist /var/run/minissdpd.sock | 47 | blacklist /var/run/minissdpd.sock |
34 | blacklist /var/run/rpcbind.sock | 48 | blacklist /var/run/rpcbind.sock |
@@ -39,7 +53,7 @@ blacklist /var/lib/mysql/mysql.sock | |||
39 | blacklist /var/run/docker.sock | 53 | blacklist /var/run/docker.sock |
40 | 54 | ||
41 | # etc | 55 | # etc |
42 | blacklist /etc/cron.* | 56 | blacklist /etc/cron* |
43 | blacklist /etc/profile.d | 57 | blacklist /etc/profile.d |
44 | blacklist /etc/rc.local | 58 | blacklist /etc/rc.local |
45 | blacklist /etc/anacrontab | 59 | blacklist /etc/anacrontab |
@@ -50,11 +64,15 @@ read-only ${HOME}/.xserverrc | |||
50 | read-only ${HOME}/.profile | 64 | read-only ${HOME}/.profile |
51 | 65 | ||
52 | # Shell startup files | 66 | # Shell startup files |
67 | read-only ${HOME}/.antigen | ||
53 | read-only ${HOME}/.bash_login | 68 | read-only ${HOME}/.bash_login |
54 | read-only ${HOME}/.bashrc | 69 | read-only ${HOME}/.bashrc |
55 | read-only ${HOME}/.bash_profile | 70 | read-only ${HOME}/.bash_profile |
56 | read-only ${HOME}/.bash_logout | 71 | read-only ${HOME}/.bash_logout |
72 | read-only ${HOME}/.zsh.d | ||
73 | read-only ${HOME}/.zshenv | ||
57 | read-only ${HOME}/.zshrc | 74 | read-only ${HOME}/.zshrc |
75 | read-only ${HOME}/.zshrc.local | ||
58 | read-only ${HOME}/.zlogin | 76 | read-only ${HOME}/.zlogin |
59 | read-only ${HOME}/.zprofile | 77 | read-only ${HOME}/.zprofile |
60 | read-only ${HOME}/.zlogout | 78 | read-only ${HOME}/.zlogout |
@@ -62,8 +80,12 @@ read-only ${HOME}/.zsh_files | |||
62 | read-only ${HOME}/.tcshrc | 80 | read-only ${HOME}/.tcshrc |
63 | read-only ${HOME}/.cshrc | 81 | read-only ${HOME}/.cshrc |
64 | read-only ${HOME}/.csh_files | 82 | read-only ${HOME}/.csh_files |
83 | read-only ${HOME}/.profile | ||
65 | 84 | ||
66 | # Initialization files that allow arbitrary command execution | 85 | # Initialization files that allow arbitrary command execution |
86 | read-only ${HOME}/.caffrc | ||
87 | read-only ${HOME}/.dotfiles | ||
88 | read-only ${HOME}/dotfiles | ||
67 | read-only ${HOME}/.mailcap | 89 | read-only ${HOME}/.mailcap |
68 | read-only ${HOME}/.exrc | 90 | read-only ${HOME}/.exrc |
69 | read-only ${HOME}/_exrc | 91 | read-only ${HOME}/_exrc |
@@ -73,10 +95,11 @@ read-only ${HOME}/.gvimrc | |||
73 | read-only ${HOME}/_gvimrc | 95 | read-only ${HOME}/_gvimrc |
74 | read-only ${HOME}/.vim | 96 | read-only ${HOME}/.vim |
75 | read-only ${HOME}/.emacs | 97 | read-only ${HOME}/.emacs |
98 | read-only ${HOME}/.emacs.d | ||
99 | read-only ${HOME}/.nano | ||
76 | read-only ${HOME}/.tmux.conf | 100 | read-only ${HOME}/.tmux.conf |
77 | read-only ${HOME}/.iscreenrc | 101 | read-only ${HOME}/.iscreenrc |
78 | read-only ${HOME}/.muttrc | 102 | read-only ${HOME}/.reportbugrc |
79 | read-only ${HOME}/.mutt/muttrc | ||
80 | read-only ${HOME}/.xmonad | 103 | read-only ${HOME}/.xmonad |
81 | read-only ${HOME}/.xscreensaver | 104 | read-only ${HOME}/.xscreensaver |
82 | 105 | ||
@@ -84,16 +107,25 @@ read-only ${HOME}/.xscreensaver | |||
84 | read-only ${HOME}/bin | 107 | read-only ${HOME}/bin |
85 | 108 | ||
86 | # top secret | 109 | # top secret |
110 | blacklist ${HOME}/.ecryptfs | ||
111 | blacklist ${HOME}/.Private | ||
87 | blacklist ${HOME}/.ssh | 112 | blacklist ${HOME}/.ssh |
113 | blacklist ${HOME}/.cert | ||
88 | blacklist ${HOME}/.gnome2/keyrings | 114 | blacklist ${HOME}/.gnome2/keyrings |
89 | blacklist ${HOME}/kde4/share/apps/kwallet | 115 | blacklist ${HOME}/.kde4/share/apps/kwallet |
90 | blacklist ${HOME}/kde/share/apps/kwallet | 116 | blacklist ${HOME}/.kde/share/apps/kwallet |
91 | blacklist ${HOME}/.local/share/kwalletd | 117 | blacklist ${HOME}/.local/share/kwalletd |
118 | blacklist ${HOME}/.config/keybase | ||
92 | blacklist ${HOME}/.netrc | 119 | blacklist ${HOME}/.netrc |
93 | blacklist ${HOME}/.gnupg | 120 | blacklist ${HOME}/.gnupg |
121 | blacklist ${HOME}/.caff | ||
122 | blacklist ${HOME}/.smbcredentials | ||
94 | blacklist ${HOME}/*.kdbx | 123 | blacklist ${HOME}/*.kdbx |
95 | blacklist ${HOME}/*.kdb | 124 | blacklist ${HOME}/*.kdb |
96 | blacklist ${HOME}/*.key | 125 | blacklist ${HOME}/*.key |
126 | blacklist ${HOME}/.muttrc | ||
127 | blacklist ${HOME}/.mutt/muttrc | ||
128 | blacklist ${HOME}/.msmtprc | ||
97 | blacklist /etc/shadow | 129 | blacklist /etc/shadow |
98 | blacklist /etc/gshadow | 130 | blacklist /etc/gshadow |
99 | blacklist /etc/passwd- | 131 | blacklist /etc/passwd- |
@@ -106,11 +138,19 @@ blacklist /etc/shadow+ | |||
106 | blacklist /etc/gshadow+ | 138 | blacklist /etc/gshadow+ |
107 | blacklist /etc/ssh | 139 | blacklist /etc/ssh |
108 | blacklist /var/backup | 140 | blacklist /var/backup |
141 | blacklist /home/.ecryptfs | ||
142 | |||
143 | # system directories | ||
144 | blacklist /sbin | ||
145 | blacklist /usr/sbin | ||
146 | blacklist /usr/local/sbin | ||
109 | 147 | ||
110 | # system management | 148 | # system management |
111 | blacklist ${PATH}/umount | 149 | blacklist ${PATH}/umount |
112 | blacklist ${PATH}/mount | 150 | blacklist ${PATH}/mount |
113 | blacklist ${PATH}/fusermount | 151 | blacklist ${PATH}/fusermount |
152 | blacklist ${PATH}/ntfs-3g | ||
153 | blacklist ${PATH}/at | ||
114 | blacklist ${PATH}/su | 154 | blacklist ${PATH}/su |
115 | blacklist ${PATH}/sudo | 155 | blacklist ${PATH}/sudo |
116 | blacklist ${PATH}/xinput | 156 | blacklist ${PATH}/xinput |
@@ -119,17 +159,45 @@ blacklist ${PATH}/xev | |||
119 | blacklist ${PATH}/strace | 159 | blacklist ${PATH}/strace |
120 | blacklist ${PATH}/nc | 160 | blacklist ${PATH}/nc |
121 | blacklist ${PATH}/ncat | 161 | blacklist ${PATH}/ncat |
162 | blacklist ${PATH}/gpasswd | ||
163 | blacklist ${PATH}/newgidmap | ||
164 | blacklist ${PATH}/newgrp | ||
165 | blacklist ${PATH}/newuidmap | ||
166 | blacklist ${PATH}/pkexec | ||
167 | blacklist ${PATH}/sg | ||
168 | blacklist ${PATH}/rsh | ||
169 | blacklist ${PATH}/rlogin | ||
170 | blacklist ${PATH}/rcp | ||
171 | blacklist ${PATH}/crontab | ||
172 | blacklist ${PATH}/ksu | ||
173 | blacklist ${PATH}/chsh | ||
174 | blacklist ${PATH}/chfn | ||
175 | blacklist ${PATH}/chage | ||
176 | blacklist ${PATH}/expiry | ||
177 | blacklist ${PATH}/unix_chkpwd | ||
178 | blacklist ${PATH}/procmail | ||
122 | 179 | ||
123 | # system directories | 180 | # other SUID binaries |
124 | blacklist /sbin | 181 | blacklist /usr/lib/virtualbox |
125 | blacklist /usr/sbin | ||
126 | blacklist /usr/local/sbin | ||
127 | 182 | ||
128 | # prevent lxterminal connecting to an existing lxterminal session | 183 | # prevent lxterminal connecting to an existing lxterminal session |
129 | blacklist /tmp/.lxterminal-socket* | 184 | blacklist /tmp/.lxterminal-socket* |
130 | 185 | ||
131 | # disable terminals running as server | 186 | # disable terminals running as server resulting in sandbox escape |
132 | blacklist ${PATH}/gnome-terminal | 187 | blacklist ${PATH}/gnome-terminal |
133 | blacklist ${PATH}/gnome-terminal.wrapper | 188 | blacklist ${PATH}/gnome-terminal.wrapper |
134 | blacklist ${PATH}/xfce4-terminal | 189 | blacklist ${PATH}/xfce4-terminal |
135 | blacklist ${PATH}/xfce4-terminal.wrapper | 190 | blacklist ${PATH}/xfce4-terminal.wrapper |
191 | blacklist ${PATH}/mate-terminal | ||
192 | blacklist ${PATH}/mate-terminal.wrapper | ||
193 | blacklist ${PATH}/lilyterm | ||
194 | blacklist ${PATH}/pantheon-terminal | ||
195 | blacklist ${PATH}/roxterm | ||
196 | blacklist ${PATH}/roxterm-config | ||
197 | blacklist ${PATH}/terminix | ||
198 | blacklist ${PATH}/urxvtc | ||
199 | blacklist ${PATH}/urxvtcd | ||
200 | |||
201 | # kernel files | ||
202 | blacklist /vmlinuz* | ||
203 | blacklist /initrd* | ||