Kicksecure · adrelanos · Jul 13, 2024 · Jul 11, 2024 · Jul 11, 2024 · Jul 11, 2024
diff --git a/README.md b/README.md
@@ -122,63 +122,46 @@ preventing new modules from being loaded. Since this isn't configured directly
 within systemctl, it does not break the loading of legitimate and necessary
 modules for the user, like drivers etc., given they are plugged in on startup.
 
-#### Disables and blacklists kernel modules
-
-Certain kernel modules are disabled and blacklisted by default to reduce attack
-surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file.
-
--   Deactivates Netfilter's connection tracking helper - this module increases
-    kernel attack surface by enabling superfluous functionality such as IRC
-    parsing in the kernel. Hence, this feature is disabled.
-
--   Thunderbolt and numerous FireWire kernel modules are also disabled as they
-    are often vulnerable to DMA attacks.
-
--   The MSR kernel module is disabled to prevent CPU MSRs from being abused to
-    write to arbitrary memory.
-
--   Uncommon network protocols are blacklisted. This includes:
-
-    -   DCCP - Datagram Congestion Control Protocol
-    -   SCTP - Stream Control Transmission Protocol
-    -   RDS - Reliable Datagram Sockets
-    -   TIPC - Transparent Inter-process Communication
-    -   HDLC - High-Level Data Link Control
-    -   AX25 - Amateur X.25
-    -   NetRom
-    -   X25
-    -   ROSE
-    -   DECnet
-    -   Econet
-    -   af_802154 - IEEE 802.15.4
-    -   IPX - Internetwork Packet Exchange
-    -   AppleTalk
-    -   PSNAP - Subnetwork Access Protocol
-    -   p8023 - Novell raw IEEE 802.3
-    -   p8022 - IEEE 802.2
-    -   CAN - Controller Area Network
-    -   ATM
-
--   Disables a large array of uncommon file systems and network file systems
-    that reduces the attack surface especially against legacy approaches.
-
--   The vivid kernel module is only required for testing and has been the cause
-    of multiple vulnerabilities so it is disabled.
-
--   Provides some disabling of the interface between the [Intel Management
-    Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html)
-    and the OS.
-
--   Disables several kernel modules responsible for GPS such as GNSS (Global
-    Navigation Satellite System).
-
--   Incorporates much of
-    [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco)
-    default blacklist of modules to be blocked from automatically loading.
-    However, they are still permitted to load.
-
--   Blocks automatic loading of the modules needed to use of CD-ROM devices by
-    default. Not completely disabled yet.
+#### Blacklist and disable kernel modules
+
+Certain kernel modules are blacklisted by default to reduce attack surface via
+`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
+modules from automatically starting.
+
+-   CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
+
+-   Conntrack: Deactivates Netfilter's connection tracking helper - this module
+    increases kernel attack surface by enabling superfluous functionality such
+    as IRC parsing in the kernel. Hence, this feature is disabled.
+
+-   Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause 
+    kernel panics, and are generally only used by legacy devices. 
+
+-   Miscellaneous: Blacklist an assortment other modules to prevent them from
+    automatically loading.
+
+Specific kernel modules are entirely disabled to reduce attack surface via
+`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
+modules from starting. This approach should not be considered comprehensive,
+rather it is a form of badness enumeration.
+
+-   File Systems: Disable uncommon and legacy file systems.
+
+-   FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
+
+-   GPS: Disables GPS-related modules responsible systems such as for Global
+    Navigation Satellite System (GNSS).
+
+-   Intel Management Engine (ME): Provides some disabling of the interface between the
+    Intel ME and the OS.
+
+-   Network File Systems: Disable uncommon and legacy network file systems.
+
+-   Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
+
+-   Miscellaneous: Disable an assortment other modules such as vivid.
+
+-   Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
 
 ### Other
 

diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript
@@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
 rm_conffile /etc/sysctl.d/tcp_hardening.conf
 rm_conffile /etc/sysctl.d/tcp_sack.conf
 
-## merged into 1 file /etc/modprobe.d/30_security-misc.conf
+## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
 rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
 rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
 rm_conffile /etc/modprobe.d/vivid.conf

diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf
@@ -0,0 +1,80 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections.
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.
+
+## CD-ROM/DVD:
+## Blacklist CD-ROM and DVD modules.
+## Do not disable by default for potential future ISO plans.
+## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+#
+blacklist cdrom
+blacklist sr_mod
+#
+#install cdrom /usr/bin/disabled-cdrom-by-security-misc
+#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
+
+## Conntrack:
+## Disable automatic conntrack helper assignment.
+## https://phabricator.whonix.org/T486
+#
+options nf_conntrack nf_conntrack_helper=0
+
+## Framebuffer Drivers:
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+#
+blacklist aty128fb
+blacklist atyfb
+blacklist cirrusfb
+blacklist cyber2000fb
+blacklist cyblafb
+blacklist gx1fb
+blacklist hgafb
+blacklist i810fb
+blacklist intelfb
+blacklist kyrofb
+blacklist lxfb
+blacklist matroxfb_bases
+blacklist neofb
+blacklist nvidiafb
+blacklist pm2fb
+blacklist radeonfb
+blacklist rivafb
+blacklist s1d13xxxfb
+blacklist savagefb
+blacklist sisfb
+blacklist sstfb
+blacklist tdfxfb
+blacklist tridentfb
+blacklist vesafb
+blacklist vfb
+blacklist viafb
+blacklist vt8623fb
+blacklist udlfb
+
+## Miscellaneous:
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+#
+blacklist ath_pci
+blacklist amd76x_edac
+blacklist asus_acpi
+blacklist bcm43xx
+blacklist eepro100
+blacklist eth1394
+blacklist evbug
+blacklist de4x5
+blacklist garmin_gps
+blacklist pcspkr
+blacklist prism54
+blacklist snd_aw2
+blacklist snd_intel8x0m
+blacklist snd_pcsp
+blacklist usbkbd
+blacklist usbmouse