/usr/bin/systemd-analyze security
UNIT EXPOSURE PREDICATE HAPPY
alsa-state.service 9.6 UNSAFE 😨
dbus.service 9.6 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
[email protected] 9.6 UNSAFE 😨
iwd.service 6.0 MEDIUM 😐
lynis.service 9.6 UNSAFE 😨
polkit.service 9.6 UNSAFE 😨
rc-local.service 9.6 UNSAFE 😨
rescue.service 9.5 UNSAFE 😨
systemd-ask-password-console.service 9.4 UNSAFE 😨
systemd-ask-password-wall.service 9.4 UNSAFE 😨
systemd-fsckd.service 9.5 UNSAFE 😨
systemd-initctl.service 9.4 UNSAFE 😨
systemd-journald.service 4.3 OK 🙂
systemd-logind.service 2.8 OK 🙂
systemd-networkd.service 2.6 OK 🙂
systemd-resolved.service 2.1 OK 🙂
systemd-rfkill.service 9.4 UNSAFE 😨
systemd-udevd.service 7.1 MEDIUM 😐
[email protected] 9.4 UNSAFE 😨
systemctl list-unit-files --state=enabled
UNIT FILE STATE PRESET
e2scrub_reap.service enabled enabled
[email protected] enabled enabled
iwd.service enabled enabled
systemd-pstore.service enabled enabled
systemd-resolved.service enabled enabled
remote-fs.target enabled enabled
apt-daily-upgrade.timer enabled enabled
apt-daily.timer enabled enabled
dpkg-db-backup.timer enabled enabled
e2scrub_all.timer enabled enabled
fstrim.timer enabled enabled
lynis.timer enabled enabled
man-db.timer enabled enabled
https://github.com/kzwkt/systemd-analyze-security
/usr/bin/systemd-analyze security alsa-state.service
Usb device toggle
lsusb
lsusb -t
assign 'bus-port.Dev' number
echo '2-1.1' > /sys/bus/usb/drivers/usb/unbind
to unload usb module
ls /lib/modules/`uname -r`/kernel/drivers/usb/storage
# lsmod | grep -i usb-storage
modprobe -r uas
modprobe -r usb-storage
# modinfo usb-storage
# lsscsi -H
vi /etc/modprobe.d/blacklist.conf
blacklist usb-storage
sudo vi /etc/modprobe.d/fake_usb.conf
Install usb - storage / bin / true
blacklist firewire
nano /etc/modprobe.d/blacklist-firewire.conf
blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394
#blacklist firewire-ohci
#blacklist firewire-sbp2
cat /etc/login.defs
UMASK 077
blacklist uncommon modules
https://gitlab.tails.boum.org/tails/blueprints/-/wikis/blacklist_modules/
https://wiki.ubuntu.com/Security/Features#blacklist-rare-net
https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
https://github.com/Kicksecure/security-misc/blob/master/etc/modprobe.d/30_security-misc.conf
https://github.com/Kicksecure/security-misc/blob/master/etc/apt/apt.conf.d/40sandbox
Comments
Post a Comment