diff options
Diffstat (limited to 'etc/disable-common.inc')
-rw-r--r-- | etc/disable-common.inc | 102 |
1 files changed, 92 insertions, 10 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b1133f28f..b86c6f998 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -1,6 +1,7 @@ | |||
1 | # History files in $HOME | 1 | # History files in $HOME |
2 | blacklist-nolog ${HOME}/.history | 2 | blacklist-nolog ${HOME}/.history |
3 | blacklist-nolog ${HOME}/.*_history | 3 | blacklist-nolog ${HOME}/.*_history |
4 | blacklist-nolog ${HOME}/.bash_history | ||
4 | blacklist ${HOME}/.local/share/systemd | 5 | blacklist ${HOME}/.local/share/systemd |
5 | blacklist-nolog ${HOME}/.adobe | 6 | blacklist-nolog ${HOME}/.adobe |
6 | blacklist-nolog ${HOME}/.macromedia | 7 | blacklist-nolog ${HOME}/.macromedia |
@@ -14,21 +15,48 @@ blacklist /etc/xdg/autostart | |||
14 | blacklist ${HOME}/.kde4/Autostart | 15 | blacklist ${HOME}/.kde4/Autostart |
15 | blacklist ${HOME}/.kde4/share/autostart | 16 | blacklist ${HOME}/.kde4/share/autostart |
16 | blacklist ${HOME}/.kde/Autostart | 17 | blacklist ${HOME}/.kde/Autostart |
18 | blacklist ${HOME}/.kde/share/autostart | ||
17 | blacklist ${HOME}/.config/plasma-workspace/shutdown | 19 | blacklist ${HOME}/.config/plasma-workspace/shutdown |
18 | blacklist ${HOME}/.config/plasma-workspace/env | 20 | blacklist ${HOME}/.config/plasma-workspace/env |
19 | blacklist ${HOME}/.config/lxsession/LXDE/autostart | 21 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
20 | blacklist ${HOME}/.fluxbox/startup | 22 | blacklist ${HOME}/.fluxbox/startup |
21 | blacklist ${HOME}/.config/openbox/autostart | 23 | blacklist ${HOME}/.config/openbox/autostart |
22 | blacklist ${HOME}/.config/openbox/environment | 24 | blacklist ${HOME}/.config/openbox/environment |
25 | blacklist ${HOME}/.gnomerc | ||
26 | blacklist /etc/X11/Xsession.d/ | ||
27 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | ||
23 | 28 | ||
24 | # VirtualBox | 29 | # VirtualBox |
25 | blacklist ${HOME}/.VirtualBox | 30 | blacklist ${HOME}/.VirtualBox |
26 | blacklist ${HOME}/VirtualBox VMs | 31 | blacklist ${HOME}/VirtualBox VMs |
27 | blacklist ${HOME}/.config/VirtualBox | 32 | blacklist ${HOME}/.config/VirtualBox |
28 | 33 | ||
34 | # VeraCrypt | ||
35 | blacklist ${PATH}/veracrypt | ||
36 | blacklist ${PATH}/veracrypt-uninstall.sh | ||
37 | blacklist /usr/share/veracrypt | ||
38 | blacklist /usr/share/applications/veracrypt.* | ||
39 | blacklist /usr/share/pixmaps/veracrypt.* | ||
40 | blacklist ${HOME}/.VeraCrypt | ||
41 | |||
42 | # TrueCrypt | ||
43 | blacklist ${PATH}/truecrypt | ||
44 | blacklist ${PATH}/truecrypt-uninstall.sh | ||
45 | blacklist /usr/share/truecrypt | ||
46 | blacklist /usr/share/applications/truecrypt.* | ||
47 | blacklist /usr/share/pixmaps/truecrypt.* | ||
48 | blacklist ${HOME}/.TrueCrypt | ||
49 | |||
50 | # zuluCrypt | ||
51 | blacklist ${HOME}/.zuluCrypt | ||
52 | blacklist ${HOME}/.zuluCrypt-socket | ||
53 | blacklist ${PATH}/zuluCrypt-cli | ||
54 | blacklist ${PATH}/zuluMount-cli | ||
55 | |||
29 | # var | 56 | # var |
30 | blacklist /var/spool/cron | 57 | blacklist /var/spool/cron |
31 | blacklist /var/spool/anacron | 58 | blacklist /var/spool/anacron |
59 | blacklist /var/mail | ||
32 | blacklist /var/run/acpid.socket | 60 | blacklist /var/run/acpid.socket |
33 | blacklist /var/run/minissdpd.sock | 61 | blacklist /var/run/minissdpd.sock |
34 | blacklist /var/run/rpcbind.sock | 62 | blacklist /var/run/rpcbind.sock |
@@ -39,7 +67,7 @@ blacklist /var/lib/mysql/mysql.sock | |||
39 | blacklist /var/run/docker.sock | 67 | blacklist /var/run/docker.sock |
40 | 68 | ||
41 | # etc | 69 | # etc |
42 | blacklist /etc/cron.* | 70 | blacklist /etc/cron* |
43 | blacklist /etc/profile.d | 71 | blacklist /etc/profile.d |
44 | blacklist /etc/rc.local | 72 | blacklist /etc/rc.local |
45 | blacklist /etc/anacrontab | 73 | blacklist /etc/anacrontab |
@@ -50,11 +78,15 @@ read-only ${HOME}/.xserverrc | |||
50 | read-only ${HOME}/.profile | 78 | read-only ${HOME}/.profile |
51 | 79 | ||
52 | # Shell startup files | 80 | # Shell startup files |
81 | read-only ${HOME}/.antigen | ||
53 | read-only ${HOME}/.bash_login | 82 | read-only ${HOME}/.bash_login |
54 | read-only ${HOME}/.bashrc | 83 | read-only ${HOME}/.bashrc |
55 | read-only ${HOME}/.bash_profile | 84 | read-only ${HOME}/.bash_profile |
56 | read-only ${HOME}/.bash_logout | 85 | read-only ${HOME}/.bash_logout |
86 | read-only ${HOME}/.zsh.d | ||
87 | read-only ${HOME}/.zshenv | ||
57 | read-only ${HOME}/.zshrc | 88 | read-only ${HOME}/.zshrc |
89 | read-only ${HOME}/.zshrc.local | ||
58 | read-only ${HOME}/.zlogin | 90 | read-only ${HOME}/.zlogin |
59 | read-only ${HOME}/.zprofile | 91 | read-only ${HOME}/.zprofile |
60 | read-only ${HOME}/.zlogout | 92 | read-only ${HOME}/.zlogout |
@@ -62,8 +94,12 @@ read-only ${HOME}/.zsh_files | |||
62 | read-only ${HOME}/.tcshrc | 94 | read-only ${HOME}/.tcshrc |
63 | read-only ${HOME}/.cshrc | 95 | read-only ${HOME}/.cshrc |
64 | read-only ${HOME}/.csh_files | 96 | read-only ${HOME}/.csh_files |
97 | read-only ${HOME}/.profile | ||
65 | 98 | ||
66 | # Initialization files that allow arbitrary command execution | 99 | # Initialization files that allow arbitrary command execution |
100 | read-only ${HOME}/.caffrc | ||
101 | read-only ${HOME}/.dotfiles | ||
102 | read-only ${HOME}/dotfiles | ||
67 | read-only ${HOME}/.mailcap | 103 | read-only ${HOME}/.mailcap |
68 | read-only ${HOME}/.exrc | 104 | read-only ${HOME}/.exrc |
69 | read-only ${HOME}/_exrc | 105 | read-only ${HOME}/_exrc |
@@ -73,10 +109,11 @@ read-only ${HOME}/.gvimrc | |||
73 | read-only ${HOME}/_gvimrc | 109 | read-only ${HOME}/_gvimrc |
74 | read-only ${HOME}/.vim | 110 | read-only ${HOME}/.vim |
75 | read-only ${HOME}/.emacs | 111 | read-only ${HOME}/.emacs |
112 | read-only ${HOME}/.emacs.d | ||
113 | read-only ${HOME}/.nano | ||
76 | read-only ${HOME}/.tmux.conf | 114 | read-only ${HOME}/.tmux.conf |
77 | read-only ${HOME}/.iscreenrc | 115 | read-only ${HOME}/.iscreenrc |
78 | read-only ${HOME}/.muttrc | 116 | read-only ${HOME}/.reportbugrc |
79 | read-only ${HOME}/.mutt/muttrc | ||
80 | read-only ${HOME}/.xmonad | 117 | read-only ${HOME}/.xmonad |
81 | read-only ${HOME}/.xscreensaver | 118 | read-only ${HOME}/.xscreensaver |
82 | 119 | ||
@@ -84,16 +121,25 @@ read-only ${HOME}/.xscreensaver | |||
84 | read-only ${HOME}/bin | 121 | read-only ${HOME}/bin |
85 | 122 | ||
86 | # top secret | 123 | # top secret |
124 | blacklist ${HOME}/.ecryptfs | ||
125 | blacklist ${HOME}/.Private | ||
87 | blacklist ${HOME}/.ssh | 126 | blacklist ${HOME}/.ssh |
127 | blacklist ${HOME}/.cert | ||
88 | blacklist ${HOME}/.gnome2/keyrings | 128 | blacklist ${HOME}/.gnome2/keyrings |
89 | blacklist ${HOME}/kde4/share/apps/kwallet | 129 | blacklist ${HOME}/.kde4/share/apps/kwallet |
90 | blacklist ${HOME}/kde/share/apps/kwallet | 130 | blacklist ${HOME}/.kde/share/apps/kwallet |
91 | blacklist ${HOME}/.local/share/kwalletd | 131 | blacklist ${HOME}/.local/share/kwalletd |
132 | blacklist ${HOME}/.config/keybase | ||
92 | blacklist ${HOME}/.netrc | 133 | blacklist ${HOME}/.netrc |
93 | blacklist ${HOME}/.gnupg | 134 | blacklist ${HOME}/.gnupg |
135 | blacklist ${HOME}/.caff | ||
136 | blacklist ${HOME}/.smbcredentials | ||
94 | blacklist ${HOME}/*.kdbx | 137 | blacklist ${HOME}/*.kdbx |
95 | blacklist ${HOME}/*.kdb | 138 | blacklist ${HOME}/*.kdb |
96 | blacklist ${HOME}/*.key | 139 | blacklist ${HOME}/*.key |
140 | blacklist ${HOME}/.muttrc | ||
141 | blacklist ${HOME}/.mutt/muttrc | ||
142 | blacklist ${HOME}/.msmtprc | ||
97 | blacklist /etc/shadow | 143 | blacklist /etc/shadow |
98 | blacklist /etc/gshadow | 144 | blacklist /etc/gshadow |
99 | blacklist /etc/passwd- | 145 | blacklist /etc/passwd- |
@@ -106,11 +152,19 @@ blacklist /etc/shadow+ | |||
106 | blacklist /etc/gshadow+ | 152 | blacklist /etc/gshadow+ |
107 | blacklist /etc/ssh | 153 | blacklist /etc/ssh |
108 | blacklist /var/backup | 154 | blacklist /var/backup |
155 | blacklist /home/.ecryptfs | ||
156 | |||
157 | # system directories | ||
158 | blacklist /sbin | ||
159 | blacklist /usr/sbin | ||
160 | blacklist /usr/local/sbin | ||
109 | 161 | ||
110 | # system management | 162 | # system management |
111 | blacklist ${PATH}/umount | 163 | blacklist ${PATH}/umount |
112 | blacklist ${PATH}/mount | 164 | blacklist ${PATH}/mount |
113 | blacklist ${PATH}/fusermount | 165 | blacklist ${PATH}/fusermount |
166 | blacklist ${PATH}/ntfs-3g | ||
167 | blacklist ${PATH}/at | ||
114 | blacklist ${PATH}/su | 168 | blacklist ${PATH}/su |
115 | blacklist ${PATH}/sudo | 169 | blacklist ${PATH}/sudo |
116 | blacklist ${PATH}/xinput | 170 | blacklist ${PATH}/xinput |
@@ -119,17 +173,45 @@ blacklist ${PATH}/xev | |||
119 | blacklist ${PATH}/strace | 173 | blacklist ${PATH}/strace |
120 | blacklist ${PATH}/nc | 174 | blacklist ${PATH}/nc |
121 | blacklist ${PATH}/ncat | 175 | blacklist ${PATH}/ncat |
176 | blacklist ${PATH}/gpasswd | ||
177 | blacklist ${PATH}/newgidmap | ||
178 | blacklist ${PATH}/newgrp | ||
179 | blacklist ${PATH}/newuidmap | ||
180 | blacklist ${PATH}/pkexec | ||
181 | blacklist ${PATH}/sg | ||
182 | blacklist ${PATH}/crontab | ||
183 | blacklist ${PATH}/ksu | ||
184 | blacklist ${PATH}/chsh | ||
185 | blacklist ${PATH}/chfn | ||
186 | blacklist ${PATH}/chage | ||
187 | blacklist ${PATH}/expiry | ||
188 | blacklist ${PATH}/unix_chkpwd | ||
189 | blacklist ${PATH}/procmail | ||
190 | blacklist ${PATH}/mount.ecryptfs_private | ||
122 | 191 | ||
123 | # system directories | 192 | # other SUID binaries |
124 | blacklist /sbin | 193 | blacklist /usr/lib/virtualbox |
125 | blacklist /usr/sbin | ||
126 | blacklist /usr/local/sbin | ||
127 | 194 | ||
128 | # prevent lxterminal connecting to an existing lxterminal session | 195 | # prevent lxterminal connecting to an existing lxterminal session |
129 | blacklist /tmp/.lxterminal-socket* | 196 | blacklist /tmp/.lxterminal-socket* |
130 | 197 | ||
131 | # disable terminals running as server | 198 | # disable terminals running as server resulting in sandbox escape |
132 | blacklist ${PATH}/gnome-terminal | 199 | blacklist ${PATH}/gnome-terminal |
133 | blacklist ${PATH}/gnome-terminal.wrapper | 200 | blacklist ${PATH}/gnome-terminal.wrapper |
134 | blacklist ${PATH}/xfce4-terminal | 201 | blacklist ${PATH}/xfce4-terminal |
135 | blacklist ${PATH}/xfce4-terminal.wrapper | 202 | blacklist ${PATH}/xfce4-terminal.wrapper |
203 | blacklist ${PATH}/mate-terminal | ||
204 | blacklist ${PATH}/mate-terminal.wrapper | ||
205 | blacklist ${PATH}/lilyterm | ||
206 | blacklist ${PATH}/pantheon-terminal | ||
207 | blacklist ${PATH}/roxterm | ||
208 | blacklist ${PATH}/roxterm-config | ||
209 | blacklist ${PATH}/terminix | ||
210 | blacklist ${PATH}/urxvtc | ||
211 | blacklist ${PATH}/urxvtcd | ||
212 | #konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
213 | #blacklist ${PATH}/konsole | ||
214 | |||
215 | # kernel files | ||
216 | blacklist /vmlinuz* | ||
217 | blacklist /initrd* | ||