From aba1de2eeff32d30bed6bb9533b4d0989303aba0 Mon Sep 17 00:00:00 2001
From: mivirl <>
Date: Mon, 24 Jun 2024 20:54:19 -0500
Subject: [PATCH] hide-hardware: remove hide-hardware.sh

The script may provide some additional privacy, but it's outside the
scope of a hardening script that's intended for competitions where the
red team doesn't need to be particularly subtle. There isn't much point
in including it.
---
 hide-hardware.sh | 129 -----------------------------------------------
 linux.sh         |   4 --
 2 files changed, 133 deletions(-)
 delete mode 100755 hide-hardware.sh

diff --git a/hide-hardware.sh b/hide-hardware.sh
deleted file mode 100755
index ab10da8..0000000
--- a/hide-hardware.sh
+++ /dev/null
@@ -1,129 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-set -e
-
-run_cmd() {
-  echo "INFO: normal executing   : $@"
-  "$@"
-}
-
-run_cmd_whitelist() {
-  echo "INFO: whitelist executing: $@"
-  "$@"
-}
-
-echo "$0: INFO: START"
-
-sysfs_whitelist=1
-cpuinfo_whitelist=1
-
-sysfs=1
-
-## https://www.kicksecure.com/wiki/Security-misc#selinux
-selinux=0
-
-shopt -s nullglob
-
-## Allows for disabling the whitelist.
-for i in /etc/hide-hardware-info.d/*.conf
-do
-  bash -n "${i}"
-  source "${i}"
-done
-
-create_whitelist() {
-  if [ "${1}" = "sysfs" ]; then
-    whitelist_path="/sys"
-  elif [ "${1}" = "cpuinfo" ]; then
-    whitelist_path="/proc/cpuinfo"
-  else
-    echo "ERROR: ${1} is not a correct parameter."
-    exit 1
-  fi
-
-  if grep -q "${1}" /etc/group; then
-    ## Changing the permissions of /sys recursively
-    ## causes errors as the permissions of /sys/kernel/debug
-    ## and /sys/fs/cgroup cannot be changed.
-    run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true
-
-    run_cmd_whitelist chmod o-rwx "${whitelist_path}"
-  else
-    echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
-  fi
-}
-
-## sysfs and debugfs expose a lot of information
-## that should not be accessible by an unprivileged
-## user which includes hardware info, debug info and
-## more. This restricts /sys, /proc/cpuinfo, /proc/bus
-## and /proc/scsi to the root user only. This hides
-## many hardware identifiers from ordinary users
-## and increases security.
-for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
-do
-  if [ -e "${i}" ]; then
-    if [ "${i}" = "/sys" ]; then
-      if [ "${sysfs}" = "1" ]; then
-        ## Whitelist for /sys.
-        if [ "${sysfs_whitelist}" = "1" ]; then
-          create_whitelist sysfs
-        else
-          echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..."
-          run_cmd chmod og-rwx /sys
-        fi
-      fi
-    elif [ "${i}" = "/proc/cpuinfo" ]; then
-      if [ "${cpuinfo_whitelist}" = "1" ]; then
-        create_whitelist cpuinfo
-      else
-        echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..."
-        run_cmd chmod og-rwx /proc/cpuinfo
-      fi
-    else
-      run_cmd chmod og-rwx "${i}"
-    fi
-  else
-    ## /proc/scsi doesn't exist on Debian so errors
-    ## are expected here.
-    if ! [ "${i}" = "/proc/scsi" ]; then
-      echo "ERROR: ${i} could not be found."
-    fi
-  fi
-done
-
-
-if [ "${sysfs}" = "1" ]; then
-  ## restrict permissions on everything but
-  ## what is needed
-  for i in /sys/* /sys/fs/*
-  do
-    ## Using '|| true':
-    ## https://github.com/Kicksecure/security-misc/pull/108
-    if [ "${sysfs_whitelist}" = "1" ]; then
-      run_cmd chmod o-rwx "${i}" || true
-    else
-      run_cmd chmod og-rwx "${i}" || true
-    fi
-  done
-
-  ## polkit needs stat access to /sys/fs/cgroup
-  ## to function properly
-  run_cmd chmod o+rx /sys /sys/fs
-
-  ## on SELinux systems, at least /sys/fs/selinux
-  ## must be visible to unprivileged users, else
-  ## SELinux userspace utilities will not function
-  ## properly
-  if [ -d /sys/fs/selinux ]; then
-    echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
-    echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
-    run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux
-    echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
-  fi
-fi
-
-echo "$0: INFO: END"
diff --git a/linux.sh b/linux.sh
index b5fd00e..3709175 100755
--- a/linux.sh
+++ b/linux.sh
@@ -784,10 +784,6 @@ fi
 # update-grub
 #log_error "Not yet implemented"
 
-# ------------------------------------------------------------------------------
-log_info "Hiding hardware info"
-./hide-hardware.sh
-
 # ------------------------------------------------------------------------------
 log_info "Disabling services"
 if [ -e "/etc/inetd.conf" -o -d "/etc/inetd.d" ]; then
-- 
2.39.5