CDROM Hardening and User Experience #348
Description
Can we as in Kicksecure have CDROM hardening while still keeping user functionality of CD/DVD Drives?
I want to propose that we reevaluate or look into the handling of CD/DVD's in Kicksecure for users.
Example of a drop in: /etc/sysctl.d/99-cdrom-controls.conf:
## CDROM controls
# Disable auto-close
dev.cdrom.autoclose=0
# Disable auto-eject
dev.cdrom.autoeject=0
# Locks the CD-ROM tray against being opened via the hardware button - UNCOMMENT ONLY IF NEEDED
#dev.cdrom.lock = 1
# Disable CDROM debuging
dev.cdrom.debug=0
dev.cdrom.autoclose=0 # Default is 1 (enabled)
Disables automatic tray closure after media access, prevents scripted tray cycling attacks or unexpected behavior in automated environments.
This one alone I feel is a must when having them enabled for two reasons I have experienced. Pressure load if users cd_rom is using more watts then their rated PSU is rated for (example: Power Supply rated for 1000 wats but setup with CD tray is more then there setup) leads to autoclose of drive.
dev.cdrom.autoeject=0
Ensures tray doesn't auto-eject on media removal/unmount, avoids physical DoS via repeated ejects.
dev.cdrom.debug=0
Prevents verbose logging that could leak drive info or aid reconnaissance.
I see none set in the drop in files:
https://github.com/Kicksecure/security-misc/tree/master/usr/lib/sysctl.d
Normally I have only seen cdrom being used not sr_mod due to usage on legacy desktops or laptops that have one built in.
Maybe just disabling autoclose, autoeject, and debug via systctl.d would be sufficient enough rather then blacklist the full functionality.
Basically what would be best for CDROM handling is:
- No auto-eject/close
- Read/Write data access with secure mount
- No desktop interference popups
- Physical button eject working at hardware/firmware level
Wanted outcome
Still have CD/DVD drive functionality in Kicksecure since DVD-R remains the best option for users who need "Read Only" functionality for security with the Tailored Access/Supply Chain Threat Model.
CD/DVD-R are available world wide in person in stores (though future trends may or may not move away, heading towards legacy media)
SD cards write protect switch does not fully provide protection
Once data is burned to DVD/CD-R media it is Read Only (not RW)
Provides a way for users to store LUKS Headers, Private Keys, or Password Manager key files for authentication/unlocking on CD/DVD.
Middle ground:
- Keep blacklist for cdrom/sr_mod
- Disable autoclose, autoeject, and debug for CD/DVD drives
- Provide plugin in sysmaint panel that comments or uncomments the line in the GUI
Notes for checking:
ls /proc/sys/dev/cdrom/sysctl -a | grep cdrom