diff options
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 710 |
1 files changed, 355 insertions, 355 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 1283a3a3d..6df0c4990 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -5,63 +5,63 @@ include disable-common.local | |||
5 | # The following block breaks trash functionality in file managers | 5 | # The following block breaks trash functionality in file managers |
6 | #read-only ${HOME}/.local | 6 | #read-only ${HOME}/.local |
7 | #read-write ${HOME}/.local/share | 7 | #read-write ${HOME}/.local/share |
8 | deny ${HOME}/.local/share/Trash | 8 | blacklist ${HOME}/.local/share/Trash |
9 | 9 | ||
10 | # History files in $HOME and clipboard managers | 10 | # History files in $HOME and clipboard managers |
11 | deny-nolog ${HOME}/.*_history | 11 | blacklist-nolog ${HOME}/.*_history |
12 | deny-nolog ${HOME}/.adobe | 12 | blacklist-nolog ${HOME}/.adobe |
13 | deny-nolog ${HOME}/.cache/greenclip* | 13 | blacklist-nolog ${HOME}/.cache/greenclip* |
14 | deny-nolog ${HOME}/.histfile | 14 | blacklist-nolog ${HOME}/.histfile |
15 | deny-nolog ${HOME}/.history | 15 | blacklist-nolog ${HOME}/.history |
16 | deny-nolog ${HOME}/.kde/share/apps/klipper | 16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper |
17 | deny-nolog ${HOME}/.kde4/share/apps/klipper | 17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper |
18 | deny-nolog ${HOME}/.local/share/fish/fish_history | 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
19 | deny-nolog ${HOME}/.local/share/klipper | 19 | blacklist-nolog ${HOME}/.local/share/klipper |
20 | deny-nolog ${HOME}/.macromedia | 20 | blacklist-nolog ${HOME}/.macromedia |
21 | deny-nolog ${HOME}/.mupdf.history | 21 | blacklist-nolog ${HOME}/.mupdf.history |
22 | deny-nolog ${HOME}/.python-history | 22 | blacklist-nolog ${HOME}/.python-history |
23 | deny-nolog ${HOME}/.python_history | 23 | blacklist-nolog ${HOME}/.python_history |
24 | deny-nolog ${HOME}/.pythonhist | 24 | blacklist-nolog ${HOME}/.pythonhist |
25 | deny-nolog ${HOME}/.lesshst | 25 | blacklist-nolog ${HOME}/.lesshst |
26 | deny-nolog ${HOME}/.viminfo | 26 | blacklist-nolog ${HOME}/.viminfo |
27 | deny-nolog /tmp/clipmenu* | 27 | blacklist-nolog /tmp/clipmenu* |
28 | 28 | ||
29 | # X11 session autostart | 29 | # X11 session autostart |
30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 30 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
31 | deny ${HOME}/.Xsession | 31 | blacklist ${HOME}/.Xsession |
32 | deny ${HOME}/.blackbox | 32 | blacklist ${HOME}/.blackbox |
33 | deny ${HOME}/.config/autostart | 33 | blacklist ${HOME}/.config/autostart |
34 | deny ${HOME}/.config/autostart-scripts | 34 | blacklist ${HOME}/.config/autostart-scripts |
35 | deny ${HOME}/.config/awesome | 35 | blacklist ${HOME}/.config/awesome |
36 | deny ${HOME}/.config/i3 | 36 | blacklist ${HOME}/.config/i3 |
37 | deny ${HOME}/.config/sway | 37 | blacklist ${HOME}/.config/sway |
38 | deny ${HOME}/.config/lxsession/LXDE/autostart | 38 | blacklist ${HOME}/.config/lxsession/LXDE/autostart |
39 | deny ${HOME}/.config/openbox | 39 | blacklist ${HOME}/.config/openbox |
40 | deny ${HOME}/.config/plasma-workspace | 40 | blacklist ${HOME}/.config/plasma-workspace |
41 | deny ${HOME}/.config/startupconfig | 41 | blacklist ${HOME}/.config/startupconfig |
42 | deny ${HOME}/.config/startupconfigkeys | 42 | blacklist ${HOME}/.config/startupconfigkeys |
43 | deny ${HOME}/.fluxbox | 43 | blacklist ${HOME}/.fluxbox |
44 | deny ${HOME}/.gnomerc | 44 | blacklist ${HOME}/.gnomerc |
45 | deny ${HOME}/.kde/Autostart | 45 | blacklist ${HOME}/.kde/Autostart |
46 | deny ${HOME}/.kde/env | 46 | blacklist ${HOME}/.kde/env |
47 | deny ${HOME}/.kde/share/autostart | 47 | blacklist ${HOME}/.kde/share/autostart |
48 | deny ${HOME}/.kde/share/config/startupconfig | 48 | blacklist ${HOME}/.kde/share/config/startupconfig |
49 | deny ${HOME}/.kde/share/config/startupconfigkeys | 49 | blacklist ${HOME}/.kde/share/config/startupconfigkeys |
50 | deny ${HOME}/.kde/shutdown | 50 | blacklist ${HOME}/.kde/shutdown |
51 | deny ${HOME}/.kde4/env | 51 | blacklist ${HOME}/.kde4/env |
52 | deny ${HOME}/.kde4/Autostart | 52 | blacklist ${HOME}/.kde4/Autostart |
53 | deny ${HOME}/.kde4/share/autostart | 53 | blacklist ${HOME}/.kde4/share/autostart |
54 | deny ${HOME}/.kde4/shutdown | 54 | blacklist ${HOME}/.kde4/shutdown |
55 | deny ${HOME}/.kde4/share/config/startupconfig | 55 | blacklist ${HOME}/.kde4/share/config/startupconfig |
56 | deny ${HOME}/.kde4/share/config/startupconfigkeys | 56 | blacklist ${HOME}/.kde4/share/config/startupconfigkeys |
57 | deny ${HOME}/.local/share/autostart | 57 | blacklist ${HOME}/.local/share/autostart |
58 | deny ${HOME}/.xinitrc | 58 | blacklist ${HOME}/.xinitrc |
59 | deny ${HOME}/.xprofile | 59 | blacklist ${HOME}/.xprofile |
60 | deny ${HOME}/.xserverrc | 60 | blacklist ${HOME}/.xserverrc |
61 | deny ${HOME}/.xsession | 61 | blacklist ${HOME}/.xsession |
62 | deny ${HOME}/.xsessionrc | 62 | blacklist ${HOME}/.xsessionrc |
63 | deny /etc/X11/Xsession.d | 63 | blacklist /etc/X11/Xsession.d |
64 | deny /etc/xdg/autostart | 64 | blacklist /etc/xdg/autostart |
65 | read-only ${HOME}/.Xauthority | 65 | read-only ${HOME}/.Xauthority |
66 | 66 | ||
67 | # Session manager | 67 | # Session manager |
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority | |||
70 | #?HAS_X11: blacklist /tmp/.ICE-unix | 70 | #?HAS_X11: blacklist /tmp/.ICE-unix |
71 | 71 | ||
72 | # KDE config | 72 | # KDE config |
73 | deny ${HOME}/.cache/konsole | 73 | blacklist ${HOME}/.cache/konsole |
74 | deny ${HOME}/.config/khotkeysrc | 74 | blacklist ${HOME}/.config/khotkeysrc |
75 | deny ${HOME}/.config/krunnerrc | 75 | blacklist ${HOME}/.config/krunnerrc |
76 | deny ${HOME}/.config/kscreenlockerrc | 76 | blacklist ${HOME}/.config/kscreenlockerrc |
77 | deny ${HOME}/.config/ksslcertificatemanager | 77 | blacklist ${HOME}/.config/ksslcertificatemanager |
78 | deny ${HOME}/.config/kwalletrc | 78 | blacklist ${HOME}/.config/kwalletrc |
79 | deny ${HOME}/.config/kwinrc | 79 | blacklist ${HOME}/.config/kwinrc |
80 | deny ${HOME}/.config/kwinrulesrc | 80 | blacklist ${HOME}/.config/kwinrulesrc |
81 | deny ${HOME}/.config/plasma-locale-settings.sh | 81 | blacklist ${HOME}/.config/plasma-locale-settings.sh |
82 | deny ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 82 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
83 | deny ${HOME}/.config/plasmashellrc | 83 | blacklist ${HOME}/.config/plasmashellrc |
84 | deny ${HOME}/.config/plasmavaultrc | 84 | blacklist ${HOME}/.config/plasmavaultrc |
85 | deny ${HOME}/.kde/share/apps/kwin | 85 | blacklist ${HOME}/.kde/share/apps/kwin |
86 | deny ${HOME}/.kde/share/apps/plasma | 86 | blacklist ${HOME}/.kde/share/apps/plasma |
87 | deny ${HOME}/.kde/share/apps/solid | 87 | blacklist ${HOME}/.kde/share/apps/solid |
88 | deny ${HOME}/.kde/share/config/khotkeysrc | 88 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
89 | deny ${HOME}/.kde/share/config/krunnerrc | 89 | blacklist ${HOME}/.kde/share/config/krunnerrc |
90 | deny ${HOME}/.kde/share/config/kscreensaverrc | 90 | blacklist ${HOME}/.kde/share/config/kscreensaverrc |
91 | deny ${HOME}/.kde/share/config/ksslcertificatemanager | 91 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager |
92 | deny ${HOME}/.kde/share/config/kwalletrc | 92 | blacklist ${HOME}/.kde/share/config/kwalletrc |
93 | deny ${HOME}/.kde/share/config/kwinrc | 93 | blacklist ${HOME}/.kde/share/config/kwinrc |
94 | deny ${HOME}/.kde/share/config/kwinrulesrc | 94 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
95 | deny ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 95 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
96 | deny ${HOME}/.kde4/share/apps/kwin | 96 | blacklist ${HOME}/.kde4/share/apps/kwin |
97 | deny ${HOME}/.kde4/share/apps/plasma | 97 | blacklist ${HOME}/.kde4/share/apps/plasma |
98 | deny ${HOME}/.kde4/share/apps/solid | 98 | blacklist ${HOME}/.kde4/share/apps/solid |
99 | deny ${HOME}/.kde4/share/config/khotkeysrc | 99 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
100 | deny ${HOME}/.kde4/share/config/krunnerrc | 100 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
101 | deny ${HOME}/.kde4/share/config/kscreensaverrc | 101 | blacklist ${HOME}/.kde4/share/config/kscreensaverrc |
102 | deny ${HOME}/.kde4/share/config/ksslcertificatemanager | 102 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager |
103 | deny ${HOME}/.kde4/share/config/kwalletrc | 103 | blacklist ${HOME}/.kde4/share/config/kwalletrc |
104 | deny ${HOME}/.kde4/share/config/kwinrc | 104 | blacklist ${HOME}/.kde4/share/config/kwinrc |
105 | deny ${HOME}/.kde4/share/config/kwinrulesrc | 105 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
106 | deny ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 106 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
107 | deny ${HOME}/.local/share/kglobalaccel | 107 | blacklist ${HOME}/.local/share/kglobalaccel |
108 | deny ${HOME}/.local/share/kwin | 108 | blacklist ${HOME}/.local/share/kwin |
109 | deny ${HOME}/.local/share/plasma | 109 | blacklist ${HOME}/.local/share/plasma |
110 | deny ${HOME}/.local/share/plasmashell | 110 | blacklist ${HOME}/.local/share/plasmashell |
111 | deny ${HOME}/.local/share/solid | 111 | blacklist ${HOME}/.local/share/solid |
112 | deny /tmp/konsole-*.history | 112 | blacklist /tmp/konsole-*.history |
113 | read-only ${HOME}/.cache/ksycoca5_* | 113 | read-only ${HOME}/.cache/ksycoca5_* |
114 | read-only ${HOME}/.config/*notifyrc | 114 | read-only ${HOME}/.config/*notifyrc |
115 | read-only ${HOME}/.config/kdeglobals | 115 | read-only ${HOME}/.config/kdeglobals |
@@ -138,139 +138,139 @@ read-only ${HOME}/.local/share/kservices5 | |||
138 | read-only ${HOME}/.local/share/kssl | 138 | read-only ${HOME}/.local/share/kssl |
139 | 139 | ||
140 | # KDE sockets | 140 | # KDE sockets |
141 | deny ${RUNUSER}/*.slave-socket | 141 | blacklist ${RUNUSER}/*.slave-socket |
142 | deny ${RUNUSER}/kdeinit5__* | 142 | blacklist ${RUNUSER}/kdeinit5__* |
143 | deny ${RUNUSER}/kdesud_* | 143 | blacklist ${RUNUSER}/kdesud_* |
144 | # see #3358 | 144 | # see #3358 |
145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* | 145 | #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* |
146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* | 146 | #?HAS_NODBUS: blacklist /tmp/ksocket-* |
147 | 147 | ||
148 | # gnome | 148 | # gnome |
149 | # contains extensions, last used times of applications, and notifications | 149 | # contains extensions, last used times of applications, and notifications |
150 | deny ${HOME}/.local/share/gnome-shell | 150 | blacklist ${HOME}/.local/share/gnome-shell |
151 | # contains recently used files and serials of static/removable storage | 151 | # contains recently used files and serials of static/removable storage |
152 | deny ${HOME}/.local/share/gvfs-metadata | 152 | blacklist ${HOME}/.local/share/gvfs-metadata |
153 | # no direct modification of dconf database | 153 | # no direct modification of dconf database |
154 | read-only ${HOME}/.config/dconf | 154 | read-only ${HOME}/.config/dconf |
155 | deny ${RUNUSER}/gnome-session-leader-fifo | 155 | blacklist ${RUNUSER}/gnome-session-leader-fifo |
156 | deny ${RUNUSER}/gnome-shell | 156 | blacklist ${RUNUSER}/gnome-shell |
157 | deny ${RUNUSER}/gsconnect | 157 | blacklist ${RUNUSER}/gsconnect |
158 | 158 | ||
159 | # systemd | 159 | # systemd |
160 | deny ${HOME}/.config/systemd | 160 | blacklist ${HOME}/.config/systemd |
161 | deny ${HOME}/.local/share/systemd | 161 | blacklist ${HOME}/.local/share/systemd |
162 | deny /var/lib/systemd | 162 | blacklist /var/lib/systemd |
163 | deny ${PATH}/systemd-run | 163 | blacklist ${PATH}/systemd-run |
164 | deny ${RUNUSER}/systemd | 164 | blacklist ${RUNUSER}/systemd |
165 | deny ${PATH}/systemctl | 165 | blacklist ${PATH}/systemctl |
166 | deny /etc/systemd/system | 166 | blacklist /etc/systemd/system |
167 | deny /etc/systemd/network | 167 | blacklist /etc/systemd/network |
168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 168 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
169 | #blacklist /var/run/systemd | 169 | #blacklist /var/run/systemd |
170 | 170 | ||
171 | # openrc | 171 | # openrc |
172 | deny /etc/runlevels/ | 172 | blacklist /etc/runlevels/ |
173 | deny /etc/init.d/ | 173 | blacklist /etc/init.d/ |
174 | deny /etc/rc.conf | 174 | blacklist /etc/rc.conf |
175 | 175 | ||
176 | # VirtualBox | 176 | # VirtualBox |
177 | deny ${HOME}/.VirtualBox | 177 | blacklist ${HOME}/.VirtualBox |
178 | deny ${HOME}/.config/VirtualBox | 178 | blacklist ${HOME}/.config/VirtualBox |
179 | deny ${HOME}/VirtualBox VMs | 179 | blacklist ${HOME}/VirtualBox VMs |
180 | 180 | ||
181 | # GNOME Boxes | 181 | # GNOME Boxes |
182 | deny ${HOME}/.config/gnome-boxes | 182 | blacklist ${HOME}/.config/gnome-boxes |
183 | deny ${HOME}/.local/share/gnome-boxes | 183 | blacklist ${HOME}/.local/share/gnome-boxes |
184 | 184 | ||
185 | # libvirt | 185 | # libvirt |
186 | deny ${HOME}/.cache/libvirt | 186 | blacklist ${HOME}/.cache/libvirt |
187 | deny ${HOME}/.config/libvirt | 187 | blacklist ${HOME}/.config/libvirt |
188 | deny ${RUNUSER}/libvirt | 188 | blacklist ${RUNUSER}/libvirt |
189 | deny /var/cache/libvirt | 189 | blacklist /var/cache/libvirt |
190 | deny /var/lib/libvirt | 190 | blacklist /var/lib/libvirt |
191 | deny /var/log/libvirt | 191 | blacklist /var/log/libvirt |
192 | 192 | ||
193 | # OCI-Containers / Podman | 193 | # OCI-Containers / Podman |
194 | deny ${RUNUSER}/containers | 194 | blacklist ${RUNUSER}/containers |
195 | deny ${RUNUSER}/crun | 195 | blacklist ${RUNUSER}/crun |
196 | deny ${RUNUSER}/libpod | 196 | blacklist ${RUNUSER}/libpod |
197 | deny ${RUNUSER}/runc | 197 | blacklist ${RUNUSER}/runc |
198 | deny ${RUNUSER}/toolbox | 198 | blacklist ${RUNUSER}/toolbox |
199 | 199 | ||
200 | # VeraCrypt | 200 | # VeraCrypt |
201 | deny ${HOME}/.VeraCrypt | 201 | blacklist ${HOME}/.VeraCrypt |
202 | deny ${PATH}/veracrypt | 202 | blacklist ${PATH}/veracrypt |
203 | deny ${PATH}/veracrypt-uninstall.sh | 203 | blacklist ${PATH}/veracrypt-uninstall.sh |
204 | deny /usr/share/applications/veracrypt.* | 204 | blacklist /usr/share/applications/veracrypt.* |
205 | deny /usr/share/pixmaps/veracrypt.* | 205 | blacklist /usr/share/pixmaps/veracrypt.* |
206 | deny /usr/share/veracrypt | 206 | blacklist /usr/share/veracrypt |
207 | 207 | ||
208 | # TrueCrypt | 208 | # TrueCrypt |
209 | deny ${HOME}/.TrueCrypt | 209 | blacklist ${HOME}/.TrueCrypt |
210 | deny ${PATH}/truecrypt | 210 | blacklist ${PATH}/truecrypt |
211 | deny ${PATH}/truecrypt-uninstall.sh | 211 | blacklist ${PATH}/truecrypt-uninstall.sh |
212 | deny /usr/share/applications/truecrypt.* | 212 | blacklist /usr/share/applications/truecrypt.* |
213 | deny /usr/share/pixmaps/truecrypt.* | 213 | blacklist /usr/share/pixmaps/truecrypt.* |
214 | deny /usr/share/truecrypt | 214 | blacklist /usr/share/truecrypt |
215 | 215 | ||
216 | # zuluCrypt | 216 | # zuluCrypt |
217 | deny ${HOME}/.zuluCrypt | 217 | blacklist ${HOME}/.zuluCrypt |
218 | deny ${HOME}/.zuluCrypt-socket | 218 | blacklist ${HOME}/.zuluCrypt-socket |
219 | deny ${PATH}/zuluCrypt-cli | 219 | blacklist ${PATH}/zuluCrypt-cli |
220 | deny ${PATH}/zuluMount-cli | 220 | blacklist ${PATH}/zuluMount-cli |
221 | 221 | ||
222 | # var | 222 | # var |
223 | deny /var/cache/apt | 223 | blacklist /var/cache/apt |
224 | deny /var/cache/pacman | 224 | blacklist /var/cache/pacman |
225 | deny /var/lib/apt | 225 | blacklist /var/lib/apt |
226 | deny /var/lib/clamav | 226 | blacklist /var/lib/clamav |
227 | deny /var/lib/dkms | 227 | blacklist /var/lib/dkms |
228 | deny /var/lib/mysql/mysql.sock | 228 | blacklist /var/lib/mysql/mysql.sock |
229 | deny /var/lib/mysqld/mysql.sock | 229 | blacklist /var/lib/mysqld/mysql.sock |
230 | deny /var/lib/pacman | 230 | blacklist /var/lib/pacman |
231 | deny /var/lib/upower | 231 | blacklist /var/lib/upower |
232 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 232 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
233 | # every sandbox, unless --writable-var-log switch is activated | 233 | # every sandbox, unless --writable-var-log switch is activated |
234 | deny /var/mail | 234 | blacklist /var/mail |
235 | deny /var/opt | 235 | blacklist /var/opt |
236 | deny /var/run/acpid.socket | 236 | blacklist /var/run/acpid.socket |
237 | deny /var/run/docker.sock | 237 | blacklist /var/run/docker.sock |
238 | deny /var/run/minissdpd.sock | 238 | blacklist /var/run/minissdpd.sock |
239 | deny /var/run/mysql/mysqld.sock | 239 | blacklist /var/run/mysql/mysqld.sock |
240 | deny /var/run/mysqld/mysqld.sock | 240 | blacklist /var/run/mysqld/mysqld.sock |
241 | deny /var/run/rpcbind.sock | 241 | blacklist /var/run/rpcbind.sock |
242 | deny /var/run/screens | 242 | blacklist /var/run/screens |
243 | deny /var/spool/anacron | 243 | blacklist /var/spool/anacron |
244 | deny /var/spool/cron | 244 | blacklist /var/spool/cron |
245 | deny /var/spool/mail | 245 | blacklist /var/spool/mail |
246 | 246 | ||
247 | # etc | 247 | # etc |
248 | deny /etc/anacrontab | 248 | blacklist /etc/anacrontab |
249 | deny /etc/cron* | 249 | blacklist /etc/cron* |
250 | deny /etc/profile.d | 250 | blacklist /etc/profile.d |
251 | deny /etc/rc.local | 251 | blacklist /etc/rc.local |
252 | # rc1.d, rc2.d, ... | 252 | # rc1.d, rc2.d, ... |
253 | deny /etc/rc?.d | 253 | blacklist /etc/rc?.d |
254 | deny /etc/kernel* | 254 | blacklist /etc/kernel* |
255 | deny /etc/grub* | 255 | blacklist /etc/grub* |
256 | deny /etc/dkms | 256 | blacklist /etc/dkms |
257 | deny /etc/apparmor* | 257 | blacklist /etc/apparmor* |
258 | deny /etc/selinux | 258 | blacklist /etc/selinux |
259 | deny /etc/modules* | 259 | blacklist /etc/modules* |
260 | deny /etc/logrotate* | 260 | blacklist /etc/logrotate* |
261 | deny /etc/adduser.conf | 261 | blacklist /etc/adduser.conf |
262 | 262 | ||
263 | # hide config for various intrusion detection systems | 263 | # hide config for various intrusion detection systems |
264 | deny /etc/rkhunter.conf | 264 | blacklist /etc/rkhunter.conf |
265 | deny /var/lib/rkhunter | 265 | blacklist /var/lib/rkhunter |
266 | deny /etc/chkrootkit.conf | 266 | blacklist /etc/chkrootkit.conf |
267 | deny /etc/lynis | 267 | blacklist /etc/lynis |
268 | deny /etc/aide | 268 | blacklist /etc/aide |
269 | deny /etc/logcheck | 269 | blacklist /etc/logcheck |
270 | deny /etc/tripwire | 270 | blacklist /etc/tripwire |
271 | deny /etc/snort | 271 | blacklist /etc/snort |
272 | deny /etc/fail2ban.conf | 272 | blacklist /etc/fail2ban.conf |
273 | deny /etc/suricata | 273 | blacklist /etc/suricata |
274 | 274 | ||
275 | # Startup files | 275 | # Startup files |
276 | read-only ${HOME}/.antigen | 276 | read-only ${HOME}/.antigen |
@@ -307,13 +307,13 @@ read-only ${HOME}/.zshrc | |||
307 | read-only ${HOME}/.zshrc.local | 307 | read-only ${HOME}/.zshrc.local |
308 | 308 | ||
309 | # Remote access | 309 | # Remote access |
310 | deny ${HOME}/.rhosts | 310 | blacklist ${HOME}/.rhosts |
311 | deny ${HOME}/.shosts | 311 | blacklist ${HOME}/.shosts |
312 | deny ${HOME}/.ssh/authorized_keys | 312 | blacklist ${HOME}/.ssh/authorized_keys |
313 | deny ${HOME}/.ssh/authorized_keys2 | 313 | blacklist ${HOME}/.ssh/authorized_keys2 |
314 | deny ${HOME}/.ssh/environment | 314 | blacklist ${HOME}/.ssh/environment |
315 | deny ${HOME}/.ssh/rc | 315 | blacklist ${HOME}/.ssh/rc |
316 | deny /etc/hosts.equiv | 316 | blacklist /etc/hosts.equiv |
317 | read-only ${HOME}/.ssh/config | 317 | read-only ${HOME}/.ssh/config |
318 | read-only ${HOME}/.ssh/config.d | 318 | read-only ${HOME}/.ssh/config.d |
319 | 319 | ||
@@ -374,200 +374,200 @@ read-only ${HOME}/.local/share/mime | |||
374 | read-only ${HOME}/.local/share/thumbnailers | 374 | read-only ${HOME}/.local/share/thumbnailers |
375 | 375 | ||
376 | # prevent access to ssh-agent | 376 | # prevent access to ssh-agent |
377 | deny /tmp/ssh-* | 377 | blacklist /tmp/ssh-* |
378 | 378 | ||
379 | # top secret | 379 | # top secret |
380 | deny ${HOME}/*.kdb | 380 | blacklist ${HOME}/*.kdb |
381 | deny ${HOME}/*.kdbx | 381 | blacklist ${HOME}/*.kdbx |
382 | deny ${HOME}/*.key | 382 | blacklist ${HOME}/*.key |
383 | deny ${HOME}/.Private | 383 | blacklist ${HOME}/.Private |
384 | deny ${HOME}/.caff | 384 | blacklist ${HOME}/.caff |
385 | deny ${HOME}/.cargo/credentials | 385 | blacklist ${HOME}/.cargo/credentials |
386 | deny ${HOME}/.cargo/credentials.toml | 386 | blacklist ${HOME}/.cargo/credentials.toml |
387 | deny ${HOME}/.cert | 387 | blacklist ${HOME}/.cert |
388 | deny ${HOME}/.config/keybase | 388 | blacklist ${HOME}/.config/keybase |
389 | deny ${HOME}/.davfs2/secrets | 389 | blacklist ${HOME}/.davfs2/secrets |
390 | deny ${HOME}/.ecryptfs | 390 | blacklist ${HOME}/.ecryptfs |
391 | deny ${HOME}/.fetchmailrc | 391 | blacklist ${HOME}/.fetchmailrc |
392 | deny ${HOME}/.fscrypt | 392 | blacklist ${HOME}/.fscrypt |
393 | deny ${HOME}/.git-credential-cache | 393 | blacklist ${HOME}/.git-credential-cache |
394 | deny ${HOME}/.git-credentials | 394 | blacklist ${HOME}/.git-credentials |
395 | deny ${HOME}/.gnome2/keyrings | 395 | blacklist ${HOME}/.gnome2/keyrings |
396 | deny ${HOME}/.gnupg | 396 | blacklist ${HOME}/.gnupg |
397 | deny ${HOME}/.config/hub | 397 | blacklist ${HOME}/.config/hub |
398 | deny ${HOME}/.kde/share/apps/kwallet | 398 | blacklist ${HOME}/.kde/share/apps/kwallet |
399 | deny ${HOME}/.kde4/share/apps/kwallet | 399 | blacklist ${HOME}/.kde4/share/apps/kwallet |
400 | deny ${HOME}/.local/share/keyrings | 400 | blacklist ${HOME}/.local/share/keyrings |
401 | deny ${HOME}/.local/share/kwalletd | 401 | blacklist ${HOME}/.local/share/kwalletd |
402 | deny ${HOME}/.local/share/plasma-vault | 402 | blacklist ${HOME}/.local/share/plasma-vault |
403 | deny ${HOME}/.msmtprc | 403 | blacklist ${HOME}/.msmtprc |
404 | deny ${HOME}/.mutt | 404 | blacklist ${HOME}/.mutt |
405 | deny ${HOME}/.muttrc | 405 | blacklist ${HOME}/.muttrc |
406 | deny ${HOME}/.netrc | 406 | blacklist ${HOME}/.netrc |
407 | deny ${HOME}/.nyx | 407 | blacklist ${HOME}/.nyx |
408 | deny ${HOME}/.pki | 408 | blacklist ${HOME}/.pki |
409 | deny ${HOME}/.local/share/pki | 409 | blacklist ${HOME}/.local/share/pki |
410 | deny ${HOME}/.smbcredentials | 410 | blacklist ${HOME}/.smbcredentials |
411 | deny ${HOME}/.ssh | 411 | blacklist ${HOME}/.ssh |
412 | deny ${HOME}/.vaults | 412 | blacklist ${HOME}/.vaults |
413 | deny /.fscrypt | 413 | blacklist /.fscrypt |
414 | deny /etc/davfs2/secrets | 414 | blacklist /etc/davfs2/secrets |
415 | deny /etc/group+ | 415 | blacklist /etc/group+ |
416 | deny /etc/group- | 416 | blacklist /etc/group- |
417 | deny /etc/gshadow | 417 | blacklist /etc/gshadow |
418 | deny /etc/gshadow+ | 418 | blacklist /etc/gshadow+ |
419 | deny /etc/gshadow- | 419 | blacklist /etc/gshadow- |
420 | deny /etc/passwd+ | 420 | blacklist /etc/passwd+ |
421 | deny /etc/passwd- | 421 | blacklist /etc/passwd- |
422 | deny /etc/shadow | 422 | blacklist /etc/shadow |
423 | deny /etc/shadow+ | 423 | blacklist /etc/shadow+ |
424 | deny /etc/shadow- | 424 | blacklist /etc/shadow- |
425 | deny /etc/ssh | 425 | blacklist /etc/ssh |
426 | deny /etc/ssh/* | 426 | blacklist /etc/ssh/* |
427 | deny /home/.ecryptfs | 427 | blacklist /home/.ecryptfs |
428 | deny /home/.fscrypt | 428 | blacklist /home/.fscrypt |
429 | deny /var/backup | 429 | blacklist /var/backup |
430 | 430 | ||
431 | # cloud provider configuration | 431 | # cloud provider configuration |
432 | deny ${HOME}/.aws | 432 | blacklist ${HOME}/.aws |
433 | deny ${HOME}/.boto | 433 | blacklist ${HOME}/.boto |
434 | deny ${HOME}/.config/gcloud | 434 | blacklist ${HOME}/.config/gcloud |
435 | deny ${HOME}/.kube | 435 | blacklist ${HOME}/.kube |
436 | deny ${HOME}/.passwd-s3fs | 436 | blacklist ${HOME}/.passwd-s3fs |
437 | deny ${HOME}/.s3cmd | 437 | blacklist ${HOME}/.s3cmd |
438 | deny /etc/boto.cfg | 438 | blacklist /etc/boto.cfg |
439 | 439 | ||
440 | # system directories | 440 | # system directories |
441 | deny /sbin | 441 | blacklist /sbin |
442 | deny /usr/local/sbin | 442 | blacklist /usr/local/sbin |
443 | deny /usr/sbin | 443 | blacklist /usr/sbin |
444 | 444 | ||
445 | # system management | 445 | # system management |
446 | deny ${PATH}/at | 446 | blacklist ${PATH}/at |
447 | deny ${PATH}/busybox | 447 | blacklist ${PATH}/busybox |
448 | deny ${PATH}/chage | 448 | blacklist ${PATH}/chage |
449 | deny ${PATH}/chfn | 449 | blacklist ${PATH}/chfn |
450 | deny ${PATH}/chsh | 450 | blacklist ${PATH}/chsh |
451 | deny ${PATH}/crontab | 451 | blacklist ${PATH}/crontab |
452 | deny ${PATH}/evtest | 452 | blacklist ${PATH}/evtest |
453 | deny ${PATH}/expiry | 453 | blacklist ${PATH}/expiry |
454 | deny ${PATH}/fusermount | 454 | blacklist ${PATH}/fusermount |
455 | deny ${PATH}/gksu | 455 | blacklist ${PATH}/gksu |
456 | deny ${PATH}/gksudo | 456 | blacklist ${PATH}/gksudo |
457 | deny ${PATH}/gpasswd | 457 | blacklist ${PATH}/gpasswd |
458 | deny ${PATH}/kdesudo | 458 | blacklist ${PATH}/kdesudo |
459 | deny ${PATH}/ksu | 459 | blacklist ${PATH}/ksu |
460 | deny ${PATH}/mount | 460 | blacklist ${PATH}/mount |
461 | deny ${PATH}/mount.ecryptfs_private | 461 | blacklist ${PATH}/mount.ecryptfs_private |
462 | deny ${PATH}/nc | 462 | blacklist ${PATH}/nc |
463 | deny ${PATH}/ncat | 463 | blacklist ${PATH}/ncat |
464 | deny ${PATH}/nmap | 464 | blacklist ${PATH}/nmap |
465 | deny ${PATH}/newgidmap | 465 | blacklist ${PATH}/newgidmap |
466 | deny ${PATH}/newgrp | 466 | blacklist ${PATH}/newgrp |
467 | deny ${PATH}/newuidmap | 467 | blacklist ${PATH}/newuidmap |
468 | deny ${PATH}/ntfs-3g | 468 | blacklist ${PATH}/ntfs-3g |
469 | deny ${PATH}/pkexec | 469 | blacklist ${PATH}/pkexec |
470 | deny ${PATH}/procmail | 470 | blacklist ${PATH}/procmail |
471 | deny ${PATH}/sg | 471 | blacklist ${PATH}/sg |
472 | deny ${PATH}/strace | 472 | blacklist ${PATH}/strace |
473 | deny ${PATH}/su | 473 | blacklist ${PATH}/su |
474 | deny ${PATH}/sudo | 474 | blacklist ${PATH}/sudo |
475 | deny ${PATH}/tcpdump | 475 | blacklist ${PATH}/tcpdump |
476 | deny ${PATH}/umount | 476 | blacklist ${PATH}/umount |
477 | deny ${PATH}/unix_chkpwd | 477 | blacklist ${PATH}/unix_chkpwd |
478 | deny ${PATH}/xev | 478 | blacklist ${PATH}/xev |
479 | deny ${PATH}/xinput | 479 | blacklist ${PATH}/xinput |
480 | 480 | ||
481 | # other SUID binaries | 481 | # other SUID binaries |
482 | deny /usr/lib/virtualbox | 482 | blacklist /usr/lib/virtualbox |
483 | deny /usr/lib64/virtualbox | 483 | blacklist /usr/lib64/virtualbox |
484 | 484 | ||
485 | # prevent lxterminal connecting to an existing lxterminal session | 485 | # prevent lxterminal connecting to an existing lxterminal session |
486 | deny /tmp/.lxterminal-socket* | 486 | blacklist /tmp/.lxterminal-socket* |
487 | # prevent tmux connecting to an existing session | 487 | # prevent tmux connecting to an existing session |
488 | deny /tmp/tmux-* | 488 | blacklist /tmp/tmux-* |
489 | 489 | ||
490 | # disable terminals running as server resulting in sandbox escape | 490 | # disable terminals running as server resulting in sandbox escape |
491 | deny ${PATH}/lxterminal | 491 | blacklist ${PATH}/lxterminal |
492 | deny ${PATH}/gnome-terminal | 492 | blacklist ${PATH}/gnome-terminal |
493 | deny ${PATH}/gnome-terminal.wrapper | 493 | blacklist ${PATH}/gnome-terminal.wrapper |
494 | deny ${PATH}/lilyterm | 494 | blacklist ${PATH}/lilyterm |
495 | deny ${PATH}/mate-terminal | 495 | blacklist ${PATH}/mate-terminal |
496 | deny ${PATH}/mate-terminal.wrapper | 496 | blacklist ${PATH}/mate-terminal.wrapper |
497 | deny ${PATH}/pantheon-terminal | 497 | blacklist ${PATH}/pantheon-terminal |
498 | deny ${PATH}/roxterm | 498 | blacklist ${PATH}/roxterm |
499 | deny ${PATH}/roxterm-config | 499 | blacklist ${PATH}/roxterm-config |
500 | deny ${PATH}/terminix | 500 | blacklist ${PATH}/terminix |
501 | deny ${PATH}/tilix | 501 | blacklist ${PATH}/tilix |
502 | deny ${PATH}/urxvtc | 502 | blacklist ${PATH}/urxvtc |
503 | deny ${PATH}/urxvtcd | 503 | blacklist ${PATH}/urxvtcd |
504 | deny ${PATH}/xfce4-terminal | 504 | blacklist ${PATH}/xfce4-terminal |
505 | deny ${PATH}/xfce4-terminal.wrapper | 505 | blacklist ${PATH}/xfce4-terminal.wrapper |
506 | # blacklist ${PATH}/konsole | 506 | # blacklist ${PATH}/konsole |
507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | 507 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
508 | 508 | ||
509 | # kernel files | 509 | # kernel files |
510 | deny /initrd* | 510 | blacklist /initrd* |
511 | deny /vmlinuz* | 511 | blacklist /vmlinuz* |
512 | 512 | ||
513 | # snapshot files | 513 | # snapshot files |
514 | deny /.snapshots | 514 | blacklist /.snapshots |
515 | 515 | ||
516 | # flatpak | 516 | # flatpak |
517 | deny ${HOME}/.cache/flatpak | 517 | blacklist ${HOME}/.cache/flatpak |
518 | deny ${HOME}/.config/flatpak | 518 | blacklist ${HOME}/.config/flatpak |
519 | nodeny ${HOME}/.local/share/flatpak/exports | 519 | noblacklist ${HOME}/.local/share/flatpak/exports |
520 | read-only ${HOME}/.local/share/flatpak/exports | 520 | read-only ${HOME}/.local/share/flatpak/exports |
521 | deny ${HOME}/.local/share/flatpak/* | 521 | blacklist ${HOME}/.local/share/flatpak/* |
522 | deny ${HOME}/.var | 522 | blacklist ${HOME}/.var |
523 | deny ${RUNUSER}/app | 523 | blacklist ${RUNUSER}/app |
524 | deny ${RUNUSER}/doc | 524 | blacklist ${RUNUSER}/doc |
525 | deny ${RUNUSER}/.dbus-proxy | 525 | blacklist ${RUNUSER}/.dbus-proxy |
526 | deny ${RUNUSER}/.flatpak | 526 | blacklist ${RUNUSER}/.flatpak |
527 | deny ${RUNUSER}/.flatpak-cache | 527 | blacklist ${RUNUSER}/.flatpak-cache |
528 | deny ${RUNUSER}/.flatpak-helper | 528 | blacklist ${RUNUSER}/.flatpak-helper |
529 | deny /usr/share/flatpak | 529 | blacklist /usr/share/flatpak |
530 | nodeny /var/lib/flatpak/exports | 530 | noblacklist /var/lib/flatpak/exports |
531 | deny /var/lib/flatpak/* | 531 | blacklist /var/lib/flatpak/* |
532 | # most of the time bwrap is SUID binary | 532 | # most of the time bwrap is SUID binary |
533 | deny ${PATH}/bwrap | 533 | blacklist ${PATH}/bwrap |
534 | 534 | ||
535 | # snap | 535 | # snap |
536 | deny ${RUNUSER}/snapd-session-agent.socket | 536 | blacklist ${RUNUSER}/snapd-session-agent.socket |
537 | 537 | ||
538 | # mail directories used by mutt | 538 | # mail directories used by mutt |
539 | deny ${HOME}/.Mail | 539 | blacklist ${HOME}/.Mail |
540 | deny ${HOME}/.mail | 540 | blacklist ${HOME}/.mail |
541 | deny ${HOME}/.signature | 541 | blacklist ${HOME}/.signature |
542 | deny ${HOME}/Mail | 542 | blacklist ${HOME}/Mail |
543 | deny ${HOME}/mail | 543 | blacklist ${HOME}/mail |
544 | deny ${HOME}/postponed | 544 | blacklist ${HOME}/postponed |
545 | deny ${HOME}/sent | 545 | blacklist ${HOME}/sent |
546 | 546 | ||
547 | # kernel configuration | 547 | # kernel configuration |
548 | deny /proc/config.gz | 548 | blacklist /proc/config.gz |
549 | 549 | ||
550 | # prevent DNS malware attempting to communicate with the server | 550 | # prevent DNS malware attempting to communicate with the server |
551 | # using regular DNS tools | 551 | # using regular DNS tools |
552 | deny ${PATH}/dig | 552 | blacklist ${PATH}/dig |
553 | deny ${PATH}/dlint | 553 | blacklist ${PATH}/dlint |
554 | deny ${PATH}/dns2tcp | 554 | blacklist ${PATH}/dns2tcp |
555 | deny ${PATH}/dnssec-* | 555 | blacklist ${PATH}/dnssec-* |
556 | deny ${PATH}/dnswalk | 556 | blacklist ${PATH}/dnswalk |
557 | deny ${PATH}/drill | 557 | blacklist ${PATH}/drill |
558 | deny ${PATH}/host | 558 | blacklist ${PATH}/host |
559 | deny ${PATH}/iodine | 559 | blacklist ${PATH}/iodine |
560 | deny ${PATH}/kdig | 560 | blacklist ${PATH}/kdig |
561 | deny ${PATH}/khost | 561 | blacklist ${PATH}/khost |
562 | deny ${PATH}/knsupdate | 562 | blacklist ${PATH}/knsupdate |
563 | deny ${PATH}/ldns-* | 563 | blacklist ${PATH}/ldns-* |
564 | deny ${PATH}/ldnsd | 564 | blacklist ${PATH}/ldnsd |
565 | deny ${PATH}/nslookup | 565 | blacklist ${PATH}/nslookup |
566 | deny ${PATH}/resolvectl | 566 | blacklist ${PATH}/resolvectl |
567 | deny ${PATH}/unbound-host | 567 | blacklist ${PATH}/unbound-host |
568 | 568 | ||
569 | # rest of ${RUNUSER} | 569 | # rest of ${RUNUSER} |
570 | deny ${RUNUSER}/*.lock | 570 | blacklist ${RUNUSER}/*.lock |
571 | deny ${RUNUSER}/inaccessible | 571 | blacklist ${RUNUSER}/inaccessible |
572 | deny ${RUNUSER}/pk-debconf-socket | 572 | blacklist ${RUNUSER}/pk-debconf-socket |
573 | deny ${RUNUSER}/update-notifier.pid | 573 | blacklist ${RUNUSER}/update-notifier.pid |