diff options
Diffstat (limited to 'etc/inc/disable-common.inc')
-rw-r--r-- | etc/inc/disable-common.inc | 171 |
1 files changed, 128 insertions, 43 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 35f89e11b..43332b4d0 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -16,7 +16,9 @@ blacklist-nolog ${HOME}/.history | |||
16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | 16 | blacklist-nolog ${HOME}/.kde/share/apps/klipper |
17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | 17 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper |
18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 18 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
19 | blacklist-nolog ${HOME}/.local/share/ibus-typing-booster | ||
19 | blacklist-nolog ${HOME}/.local/share/klipper | 20 | blacklist-nolog ${HOME}/.local/share/klipper |
21 | blacklist-nolog ${HOME}/.local/share/nvim | ||
20 | blacklist-nolog ${HOME}/.macromedia | 22 | blacklist-nolog ${HOME}/.macromedia |
21 | blacklist-nolog ${HOME}/.mupdf.history | 23 | blacklist-nolog ${HOME}/.mupdf.history |
22 | blacklist-nolog ${HOME}/.python-history | 24 | blacklist-nolog ${HOME}/.python-history |
@@ -159,20 +161,23 @@ blacklist ${RUNUSER}/gsconnect | |||
159 | # systemd | 161 | # systemd |
160 | blacklist ${HOME}/.config/systemd | 162 | blacklist ${HOME}/.config/systemd |
161 | blacklist ${HOME}/.local/share/systemd | 163 | blacklist ${HOME}/.local/share/systemd |
162 | blacklist /var/lib/systemd | 164 | blacklist ${PATH}/systemctl |
163 | blacklist ${PATH}/systemd-run | 165 | blacklist ${PATH}/systemd-run |
164 | blacklist ${RUNUSER}/systemd | 166 | blacklist ${RUNUSER}/systemd |
167 | blacklist /etc/systemd/network | ||
168 | blacklist /etc/systemd/system | ||
169 | blacklist /var/lib/systemd | ||
165 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 170 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
166 | #blacklist /var/run/systemd | 171 | #blacklist /var/run/systemd |
167 | 172 | ||
168 | # openrc | 173 | # openrc |
169 | blacklist /etc/runlevels/ | 174 | blacklist /etc/init.d |
170 | blacklist /etc/init.d/ | ||
171 | blacklist /etc/rc.conf | 175 | blacklist /etc/rc.conf |
176 | blacklist /etc/runlevels | ||
172 | 177 | ||
173 | # VirtualBox | 178 | # VirtualBox |
174 | blacklist ${HOME}/.VirtualBox | ||
175 | blacklist ${HOME}/.config/VirtualBox | 179 | blacklist ${HOME}/.config/VirtualBox |
180 | blacklist ${HOME}/.VirtualBox | ||
176 | blacklist ${HOME}/VirtualBox VMs | 181 | blacklist ${HOME}/VirtualBox VMs |
177 | 182 | ||
178 | # GNOME Boxes | 183 | # GNOME Boxes |
@@ -242,20 +247,34 @@ blacklist /var/spool/cron | |||
242 | blacklist /var/spool/mail | 247 | blacklist /var/spool/mail |
243 | 248 | ||
244 | # etc | 249 | # etc |
250 | blacklist /etc/adduser.conf | ||
245 | blacklist /etc/anacrontab | 251 | blacklist /etc/anacrontab |
252 | blacklist /etc/apparmor* | ||
246 | blacklist /etc/cron* | 253 | blacklist /etc/cron* |
254 | blacklist /etc/default | ||
255 | blacklist /etc/dkms | ||
256 | blacklist /etc/grub* | ||
257 | blacklist /etc/kernel* | ||
258 | blacklist /etc/logrotate* | ||
259 | blacklist /etc/modules* | ||
247 | blacklist /etc/profile.d | 260 | blacklist /etc/profile.d |
248 | blacklist /etc/rc.local | 261 | blacklist /etc/rc.local |
249 | # rc1.d, rc2.d, ... | 262 | # rc1.d, rc2.d, ... |
250 | blacklist /etc/rc?.d | 263 | blacklist /etc/rc?.d |
251 | blacklist /etc/kernel* | 264 | blacklist /etc/sysconfig |
252 | blacklist /etc/grub* | 265 | |
253 | blacklist /etc/dkms | 266 | # hide config for various intrusion detection systems |
254 | blacklist /etc/apparmor* | 267 | blacklist /etc/aide |
255 | blacklist /etc/selinux | 268 | blacklist /etc/aide.conf |
256 | blacklist /etc/modules* | 269 | blacklist /etc/chkrootkit.conf |
257 | blacklist /etc/logrotate* | 270 | blacklist /etc/fail2ban.conf |
258 | blacklist /etc/adduser.conf | 271 | blacklist /etc/logcheck |
272 | blacklist /etc/lynis | ||
273 | blacklist /etc/rkhunter.* | ||
274 | blacklist /etc/snort | ||
275 | blacklist /etc/suricata | ||
276 | blacklist /etc/tripwire | ||
277 | blacklist /var/lib/rkhunter | ||
259 | 278 | ||
260 | # Startup files | 279 | # Startup files |
261 | read-only ${HOME}/.antigen | 280 | read-only ${HOME}/.antigen |
@@ -305,6 +324,7 @@ read-only ${HOME}/.ssh/config.d | |||
305 | # Initialization files that allow arbitrary command execution | 324 | # Initialization files that allow arbitrary command execution |
306 | read-only ${HOME}/.caffrc | 325 | read-only ${HOME}/.caffrc |
307 | read-only ${HOME}/.cargo/env | 326 | read-only ${HOME}/.cargo/env |
327 | read-only ${HOME}/.config/nvim | ||
308 | read-only ${HOME}/.dotfiles | 328 | read-only ${HOME}/.dotfiles |
309 | read-only ${HOME}/.emacs | 329 | read-only ${HOME}/.emacs |
310 | read-only ${HOME}/.emacs.d | 330 | read-only ${HOME}/.emacs.d |
@@ -314,6 +334,7 @@ read-only ${HOME}/.homesick | |||
314 | read-only ${HOME}/.iscreenrc | 334 | read-only ${HOME}/.iscreenrc |
315 | read-only ${HOME}/.local/lib | 335 | read-only ${HOME}/.local/lib |
316 | read-only ${HOME}/.local/share/cool-retro-term | 336 | read-only ${HOME}/.local/share/cool-retro-term |
337 | read-only ${HOME}/.local/share/nvim | ||
317 | read-only ${HOME}/.mailcap | 338 | read-only ${HOME}/.mailcap |
318 | read-only ${HOME}/.msmtprc | 339 | read-only ${HOME}/.msmtprc |
319 | read-only ${HOME}/.mutt/muttrc | 340 | read-only ${HOME}/.mutt/muttrc |
@@ -335,13 +356,15 @@ read-only ${HOME}/_vimrc | |||
335 | read-only ${HOME}/dotfiles | 356 | read-only ${HOME}/dotfiles |
336 | 357 | ||
337 | # Make directories commonly found in $PATH read-only | 358 | # Make directories commonly found in $PATH read-only |
359 | read-only ${HOME}/.bin | ||
360 | read-only ${HOME}/.cargo/bin | ||
338 | read-only ${HOME}/.gem | 361 | read-only ${HOME}/.gem |
362 | read-only ${HOME}/.local/bin | ||
339 | read-only ${HOME}/.luarocks | 363 | read-only ${HOME}/.luarocks |
340 | read-only ${HOME}/.npm-packages | 364 | read-only ${HOME}/.npm-packages |
365 | read-only ${HOME}/.nvm | ||
366 | read-only ${HOME}/.rustup | ||
341 | read-only ${HOME}/bin | 367 | read-only ${HOME}/bin |
342 | read-only ${HOME}/.bin | ||
343 | read-only ${HOME}/.local/bin | ||
344 | read-only ${HOME}/.cargo/bin | ||
345 | 368 | ||
346 | # Write-protection for desktop entries | 369 | # Write-protection for desktop entries |
347 | read-only ${HOME}/.config/menus | 370 | read-only ${HOME}/.config/menus |
@@ -360,13 +383,32 @@ read-only ${HOME}/.local/share/thumbnailers | |||
360 | blacklist /tmp/ssh-* | 383 | blacklist /tmp/ssh-* |
361 | 384 | ||
362 | # top secret | 385 | # top secret |
386 | blacklist /.fscrypt | ||
387 | blacklist /etc/davfs2/secrets | ||
388 | blacklist /etc/group+ | ||
389 | blacklist /etc/group- | ||
390 | blacklist /etc/gshadow | ||
391 | blacklist /etc/gshadow+ | ||
392 | blacklist /etc/gshadow- | ||
393 | blacklist /etc/passwd+ | ||
394 | blacklist /etc/passwd- | ||
395 | blacklist /etc/shadow | ||
396 | blacklist /etc/shadow+ | ||
397 | blacklist /etc/shadow- | ||
398 | blacklist /etc/ssh | ||
399 | blacklist /etc/ssh/* | ||
400 | blacklist /home/.ecryptfs | ||
401 | blacklist /home/.fscrypt | ||
363 | blacklist ${HOME}/*.kdb | 402 | blacklist ${HOME}/*.kdb |
364 | blacklist ${HOME}/*.kdbx | 403 | blacklist ${HOME}/*.kdbx |
365 | blacklist ${HOME}/*.key | 404 | blacklist ${HOME}/*.key |
405 | blacklist ${HOME}/Private | ||
366 | blacklist ${HOME}/.Private | 406 | blacklist ${HOME}/.Private |
367 | blacklist ${HOME}/.caff | 407 | blacklist ${HOME}/.caff |
368 | blacklist ${HOME}/.cargo/credentials | 408 | blacklist ${HOME}/.cargo/credentials |
409 | blacklist ${HOME}/.cargo/credentials.toml | ||
369 | blacklist ${HOME}/.cert | 410 | blacklist ${HOME}/.cert |
411 | blacklist ${HOME}/.config/hub | ||
370 | blacklist ${HOME}/.config/keybase | 412 | blacklist ${HOME}/.config/keybase |
371 | blacklist ${HOME}/.davfs2/secrets | 413 | blacklist ${HOME}/.davfs2/secrets |
372 | blacklist ${HOME}/.ecryptfs | 414 | blacklist ${HOME}/.ecryptfs |
@@ -376,40 +418,37 @@ blacklist ${HOME}/.git-credential-cache | |||
376 | blacklist ${HOME}/.git-credentials | 418 | blacklist ${HOME}/.git-credentials |
377 | blacklist ${HOME}/.gnome2/keyrings | 419 | blacklist ${HOME}/.gnome2/keyrings |
378 | blacklist ${HOME}/.gnupg | 420 | blacklist ${HOME}/.gnupg |
379 | blacklist ${HOME}/.config/hub | ||
380 | blacklist ${HOME}/.kde/share/apps/kwallet | 421 | blacklist ${HOME}/.kde/share/apps/kwallet |
381 | blacklist ${HOME}/.kde4/share/apps/kwallet | 422 | blacklist ${HOME}/.kde4/share/apps/kwallet |
382 | blacklist ${HOME}/.local/share/keyrings | 423 | blacklist ${HOME}/.local/share/keyrings |
383 | blacklist ${HOME}/.local/share/kwalletd | 424 | blacklist ${HOME}/.local/share/kwalletd |
425 | blacklist ${HOME}/.local/share/pki | ||
384 | blacklist ${HOME}/.local/share/plasma-vault | 426 | blacklist ${HOME}/.local/share/plasma-vault |
427 | blacklist ${HOME}/.minisign | ||
385 | blacklist ${HOME}/.msmtprc | 428 | blacklist ${HOME}/.msmtprc |
386 | blacklist ${HOME}/.mutt | 429 | blacklist ${HOME}/.mutt |
387 | blacklist ${HOME}/.muttrc | 430 | blacklist ${HOME}/.muttrc |
388 | blacklist ${HOME}/.netrc | 431 | blacklist ${HOME}/.netrc |
389 | blacklist ${HOME}/.nyx | 432 | blacklist ${HOME}/.nyx |
390 | blacklist ${HOME}/.pki | 433 | blacklist ${HOME}/.pki |
391 | blacklist ${HOME}/.local/share/pki | ||
392 | blacklist ${HOME}/.smbcredentials | 434 | blacklist ${HOME}/.smbcredentials |
393 | blacklist ${HOME}/.ssh | 435 | blacklist ${HOME}/.ssh |
394 | blacklist ${HOME}/.vaults | 436 | blacklist ${HOME}/.vaults |
395 | blacklist /.fscrypt | 437 | blacklist /run/timeshift |
396 | blacklist /etc/davfs2/secrets | ||
397 | blacklist /etc/group+ | ||
398 | blacklist /etc/group- | ||
399 | blacklist /etc/gshadow | ||
400 | blacklist /etc/gshadow+ | ||
401 | blacklist /etc/gshadow- | ||
402 | blacklist /etc/passwd+ | ||
403 | blacklist /etc/passwd- | ||
404 | blacklist /etc/shadow | ||
405 | blacklist /etc/shadow+ | ||
406 | blacklist /etc/shadow- | ||
407 | blacklist /etc/ssh | ||
408 | blacklist /etc/ssh/* | ||
409 | blacklist /home/.ecryptfs | ||
410 | blacklist /home/.fscrypt | ||
411 | blacklist /var/backup | 438 | blacklist /var/backup |
412 | 439 | ||
440 | # Remove environment variables with auth tokens. | ||
441 | # Note however that the sandbox might still have access to the | ||
442 | # files where these variables are set. | ||
443 | rmenv GH_TOKEN | ||
444 | rmenv GITHUB_TOKEN | ||
445 | rmenv GH_ENTERPRISE_TOKEN | ||
446 | rmenv GITHUB_ENTERPRISE_TOKEN | ||
447 | rmenv CARGO_REGISTRY_TOKEN | ||
448 | rmenv RESTIC_KEY_HINT | ||
449 | rmenv RESTIC_PASSWORD_COMMAND | ||
450 | rmenv RESTIC_PASSWORD_FILE | ||
451 | |||
413 | # cloud provider configuration | 452 | # cloud provider configuration |
414 | blacklist ${HOME}/.aws | 453 | blacklist ${HOME}/.aws |
415 | blacklist ${HOME}/.boto | 454 | blacklist ${HOME}/.boto |
@@ -424,7 +463,7 @@ blacklist /sbin | |||
424 | blacklist /usr/local/sbin | 463 | blacklist /usr/local/sbin |
425 | blacklist /usr/sbin | 464 | blacklist /usr/sbin |
426 | 465 | ||
427 | # system management | 466 | # system management and various SUID executables |
428 | blacklist ${PATH}/at | 467 | blacklist ${PATH}/at |
429 | blacklist ${PATH}/busybox | 468 | blacklist ${PATH}/busybox |
430 | blacklist ${PATH}/chage | 469 | blacklist ${PATH}/chage |
@@ -459,6 +498,42 @@ blacklist ${PATH}/umount | |||
459 | blacklist ${PATH}/unix_chkpwd | 498 | blacklist ${PATH}/unix_chkpwd |
460 | blacklist ${PATH}/xev | 499 | blacklist ${PATH}/xev |
461 | blacklist ${PATH}/xinput | 500 | blacklist ${PATH}/xinput |
501 | # from 0.9.67 | ||
502 | blacklist /usr/lib/openssh | ||
503 | blacklist /usr/lib/ssh | ||
504 | blacklist /usr/libexec/openssh | ||
505 | blacklist ${PATH}/passwd | ||
506 | blacklist /usr/lib/xorg/Xorg.wrap | ||
507 | blacklist /usr/lib/policykit-1/polkit-agent-helper-1 | ||
508 | blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper | ||
509 | blacklist /usr/lib/eject/dmcrypt-get-device | ||
510 | blacklist /usr/lib/chromium/chrome-sandbox | ||
511 | blacklist /usr/lib/vmware | ||
512 | blacklist ${PATH}/suexec | ||
513 | blacklist /usr/lib/squid/basic_pam_auth | ||
514 | blacklist ${PATH}/slock | ||
515 | blacklist ${PATH}/physlock | ||
516 | blacklist ${PATH}/schroot | ||
517 | blacklist ${PATH}/wshowkeys | ||
518 | blacklist ${PATH}/pmount | ||
519 | blacklist ${PATH}/pumount | ||
520 | blacklist ${PATH}/bmon | ||
521 | blacklist ${PATH}/fping | ||
522 | blacklist ${PATH}/fping6 | ||
523 | blacklist ${PATH}/hostname | ||
524 | # blacklist ${PATH}/ip - breaks --ip=dhcp | ||
525 | blacklist ${PATH}/mtr | ||
526 | blacklist ${PATH}/mtr-packet | ||
527 | blacklist ${PATH}/netstat | ||
528 | blacklist ${PATH}/nm-online | ||
529 | blacklist ${PATH}/nmcli | ||
530 | blacklist ${PATH}/nmtui | ||
531 | blacklist ${PATH}/nmtui-connect | ||
532 | blacklist ${PATH}/nmtui-edit | ||
533 | blacklist ${PATH}/nmtui-hostname | ||
534 | blacklist ${PATH}/networkctl | ||
535 | blacklist ${PATH}/ss | ||
536 | blacklist ${PATH}/traceroute | ||
462 | 537 | ||
463 | # other SUID binaries | 538 | # other SUID binaries |
464 | blacklist /usr/lib/virtualbox | 539 | blacklist /usr/lib/virtualbox |
@@ -470,10 +545,12 @@ blacklist /tmp/.lxterminal-socket* | |||
470 | blacklist /tmp/tmux-* | 545 | blacklist /tmp/tmux-* |
471 | 546 | ||
472 | # disable terminals running as server resulting in sandbox escape | 547 | # disable terminals running as server resulting in sandbox escape |
473 | blacklist ${PATH}/lxterminal | ||
474 | blacklist ${PATH}/gnome-terminal | 548 | blacklist ${PATH}/gnome-terminal |
475 | blacklist ${PATH}/gnome-terminal.wrapper | 549 | blacklist ${PATH}/gnome-terminal.wrapper |
550 | # blacklist ${PATH}/konsole | ||
551 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
476 | blacklist ${PATH}/lilyterm | 552 | blacklist ${PATH}/lilyterm |
553 | blacklist ${PATH}/lxterminal | ||
477 | blacklist ${PATH}/mate-terminal | 554 | blacklist ${PATH}/mate-terminal |
478 | blacklist ${PATH}/mate-terminal.wrapper | 555 | blacklist ${PATH}/mate-terminal.wrapper |
479 | blacklist ${PATH}/pantheon-terminal | 556 | blacklist ${PATH}/pantheon-terminal |
@@ -485,8 +562,6 @@ blacklist ${PATH}/urxvtc | |||
485 | blacklist ${PATH}/urxvtcd | 562 | blacklist ${PATH}/urxvtcd |
486 | blacklist ${PATH}/xfce4-terminal | 563 | blacklist ${PATH}/xfce4-terminal |
487 | blacklist ${PATH}/xfce4-terminal.wrapper | 564 | blacklist ${PATH}/xfce4-terminal.wrapper |
488 | # blacklist ${PATH}/konsole | ||
489 | # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 | ||
490 | 565 | ||
491 | # kernel files | 566 | # kernel files |
492 | blacklist /initrd* | 567 | blacklist /initrd* |
@@ -502,17 +577,17 @@ noblacklist ${HOME}/.local/share/flatpak/exports | |||
502 | read-only ${HOME}/.local/share/flatpak/exports | 577 | read-only ${HOME}/.local/share/flatpak/exports |
503 | blacklist ${HOME}/.local/share/flatpak/* | 578 | blacklist ${HOME}/.local/share/flatpak/* |
504 | blacklist ${HOME}/.var | 579 | blacklist ${HOME}/.var |
505 | blacklist ${RUNUSER}/app | 580 | # most of the time bwrap is SUID binary |
506 | blacklist ${RUNUSER}/doc | 581 | blacklist ${PATH}/bwrap |
507 | blacklist ${RUNUSER}/.dbus-proxy | 582 | blacklist ${RUNUSER}/.dbus-proxy |
508 | blacklist ${RUNUSER}/.flatpak | 583 | blacklist ${RUNUSER}/.flatpak |
509 | blacklist ${RUNUSER}/.flatpak-cache | 584 | blacklist ${RUNUSER}/.flatpak-cache |
510 | blacklist ${RUNUSER}/.flatpak-helper | 585 | blacklist ${RUNUSER}/.flatpak-helper |
586 | blacklist ${RUNUSER}/app | ||
587 | blacklist ${RUNUSER}/doc | ||
511 | blacklist /usr/share/flatpak | 588 | blacklist /usr/share/flatpak |
512 | noblacklist /var/lib/flatpak/exports | 589 | noblacklist /var/lib/flatpak/exports |
513 | blacklist /var/lib/flatpak/* | 590 | blacklist /var/lib/flatpak/* |
514 | # most of the time bwrap is SUID binary | ||
515 | blacklist ${PATH}/bwrap | ||
516 | 591 | ||
517 | # snap | 592 | # snap |
518 | blacklist ${RUNUSER}/snapd-session-agent.socket | 593 | blacklist ${RUNUSER}/snapd-session-agent.socket |
@@ -529,8 +604,7 @@ blacklist ${HOME}/sent | |||
529 | # kernel configuration | 604 | # kernel configuration |
530 | blacklist /proc/config.gz | 605 | blacklist /proc/config.gz |
531 | 606 | ||
532 | # prevent DNS malware attempting to communicate with the server | 607 | # prevent DNS malware attempting to communicate with the server using regular DNS tools |
533 | # using regular DNS tools | ||
534 | blacklist ${PATH}/dig | 608 | blacklist ${PATH}/dig |
535 | blacklist ${PATH}/dlint | 609 | blacklist ${PATH}/dlint |
536 | blacklist ${PATH}/dns2tcp | 610 | blacklist ${PATH}/dns2tcp |
@@ -548,8 +622,19 @@ blacklist ${PATH}/nslookup | |||
548 | blacklist ${PATH}/resolvectl | 622 | blacklist ${PATH}/resolvectl |
549 | blacklist ${PATH}/unbound-host | 623 | blacklist ${PATH}/unbound-host |
550 | 624 | ||
625 | # prevent an intruder to guess passwords using regular network tools | ||
626 | blacklist ${PATH}/ftp | ||
627 | blacklist ${PATH}/ssh | ||
628 | blacklist ${PATH}/telnet | ||
629 | |||
551 | # rest of ${RUNUSER} | 630 | # rest of ${RUNUSER} |
552 | blacklist ${RUNUSER}/*.lock | 631 | blacklist ${RUNUSER}/*.lock |
553 | blacklist ${RUNUSER}/inaccessible | 632 | blacklist ${RUNUSER}/inaccessible |
554 | blacklist ${RUNUSER}/pk-debconf-socket | 633 | blacklist ${RUNUSER}/pk-debconf-socket |
555 | blacklist ${RUNUSER}/update-notifier.pid | 634 | blacklist ${RUNUSER}/update-notifier.pid |
635 | |||
636 | # tor-browser | ||
637 | blacklist ${HOME}/.local/opt/tor-browser | ||
638 | |||
639 | # pass utility (pass package in Debian etc.) | ||
640 | blacklist ${HOME}/.password-store | ||