Reduced Attack Surface

Obscurix reduces the attack surface as much as possible. It comes with a small amount of packages and blacklists unneeded and potentially dangerous modules.

Blacklisted Modules

Uncommon network protocols are blacklisted as they may contain unknown vulnerabilities and many have had bad vulnerabilities in the past. These are blacklisted in /etc/modprobe.d.

cramfs, freevxfs, jffs2, hfs, hfsplus and udf are filesystems that are blacklisted as they are rarely used.

Bluetooth, firewire and thunderbolt are blacklisted. Bluetooth can be used to connect to your system and has a history of security vulnerabilities. Thunderbolt and Firewire can be used for DMA attacks.

Netfilter's conntrack helper is disabled as it can be used to parse many unsafe protocols in the kernel and modify the firewall.

The webcam kernel module is blacklisted from loading so an attacker can't use it to spy on you.

The PC Speaker module is blacklisted for discretion purposes. This module can cause your computer to make beeps or other various noises.

The MEI is the interface between the host and the Intel ME. The Intel ME is a chip on modern Intel CPUs with a lot of attack surface. Because of this, the MEI may be useful to an attacker for gaining control over your CPU and is blacklisted. The MEI also causes a bug on some hardware where a shutdown turns into a reboot.

Wireless Devices

At boot Obscurix blocks all wireless devices except WiFi with rfkill. This will block things such as Bluetooth to reduce attack surface.

Setuid and Capabilities

A setuid binary allows a binary to run with the same privileges as the binary's owner. Some binaries are owned by root and made setuid so an unprivileged user can perform some privileged processes. This adds a lot of attack surface as a vulnerability in that binary can lead to a privilege escalation. Because of this, Obscurix removes the setuid/setgid bit from many unneeded binaries.

Capabilities split root up into different parts. Instead of giving a binary setuid, you can give it a capability so it can only perform a certain privileged operation instead of being able to perform anything. This still adds a lot of attack surface as a vulnerability in the binary can lead to partial root access. Brad Spengler also showed how many capabilities allow trivial full privilege escalation. Because of this, Obscurix removes capabilities from any unneeded binaries.