Kicksecure · adrelanos · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024
diff --git a/README.md b/README.md
@@ -150,8 +150,8 @@ disabling should first be blacklisted for a suitable amount of time.
 
 -   FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
 
--   GPS: Disables GPS-related modules responsible systems such as for Global
-    Navigation Satellite System (GNSS).
+-   GPS: Disable GPS-related modules such as those required for Global Navigation 
+    Satellite Systems (GNSS).
 
 -   Intel Management Engine (ME): Provides some disabling of the interface between the
     Intel ME and the OS.
@@ -160,7 +160,8 @@ disabling should first be blacklisted for a suitable amount of time.
 
 -   Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
 
--   Miscellaneous: Disable an assortment other modules such as vivid.
+-   Miscellaneous: Disable an assortment other modules such as those required
+    for amateur radio, floppy disks, and vivid.
 
 -   Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
 

diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript
@@ -31,6 +31,7 @@ rm_conffile /etc/modprobe.d/vivid.conf
 rm_conffile /etc/modprobe.d/blacklist-dma.conf
 rm_conffile /etc/modprobe.d/msr.conf
 rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf
+rm_conffile /etc/modprobe.d/30_security-misc.conf
 
 ## renamed to /etc/security/limits.d/30_security-misc.conf
 rm_conffile /etc/security/limits.d/disable-coredumps.conf
@@ -66,3 +67,6 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
 rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
 rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
 rm_conffile /etc/permission-hardening.d/30_default.conf
+
+## repalced with /usr/bin/disabled-miscellaneous-by-security-misc
+rm_conffile /usr/bin/disabled-vivid-by-security-misc
diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf
@@ -63,11 +63,8 @@ blacklist ath_pci
 blacklist amd76x_edac
 blacklist asus_acpi
 blacklist bcm43xx
-blacklist eepro100
-blacklist eth1394
 blacklist evbug
 blacklist de4x5
-blacklist garmin_gps
 blacklist pcspkr
 blacklist prism54
 blacklist snd_aw2

diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf
@@ -16,25 +16,42 @@
 ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
 ##
 #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+#install bluetooth_6lowpan  /usr/bin/disabled-bluetooth-by-security-misc
+#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc
+#install btbcm /usr/bin/disabled-bluetooth-by-security-misc
+#install btintel /usr/bin/disabled-bluetooth-by-security-misc
+#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc
+#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtk /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc
+#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc
+#install btqca /usr/bin/disabled-bluetooth-by-security-misc
+#install btrsi /usr/bin/disabled-bluetooth-by-security-misc
+#install btrtl /usr/bin/disabled-bluetooth-by-security-misc
+#install btsdio /usr/bin/disabled-bluetooth-by-security-misc
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
+#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
 
 ## CPU Model-Specific Registers (MSRs):
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ##
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 ## https://github.com/Kicksecure/security-misc/issues/215
 ##
-#install msr /usr/bin/disabled-msr-by-security-misc
+#install msr /usr/bin/disabled-miscellaneous-by-security-misc
 
 ## File Systems:
 ## Disable uncommon file systems to reduce attack surface.
-## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
+## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
 ##
 install cramfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
 install hfsplus /usr/bin/disabled-filesys-by-security-misc
 install jffs2 /usr/bin/disabled-filesys-by-security-misc
+install jfs /usr/bin/disabled-filesys-by-security-misc
+install reiserfs /usr/bin/disabled-filesys-by-security-misc
 install udf /usr/bin/disabled-filesys-by-security-misc
 
 ## FireWire (IEEE 1394):
@@ -55,6 +72,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc
 ## Global Positioning Systems (GPS):
 ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
 ##
+install garmin_gps /usr/bin/disabled-gps-by-security-misc
 install gnss /usr/bin/disabled-gps-by-security-misc
 install gnss-mtk /usr/bin/disabled-gps-by-security-misc
 install gnss-serial /usr/bin/disabled-gps-by-security-misc
@@ -73,54 +91,122 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc
 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
 ##
-install cifs /usr/bin/disabled-netfilesys-by-security-misc
 install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
 install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
+##
+## Common Internet File System (CIFS):
+##
+install cifs /usr/bin/disabled-netfilesys-by-security-misc
+install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc
+install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc
+##
+## Network File System (NFS):
+##
 install nfs /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc
+install nfsd /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
 
 ## Network Protocols:
 ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
 ##
 ## https://tails.boum.org/blueprint/blacklist_modules/
-## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
+## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
 ##
 install af_802154 /usr/bin/disabled-network-by-security-misc
 install appletalk /usr/bin/disabled-network-by-security-misc
-install atm /usr/bin/disabled-network-by-security-misc
 install ax25 /usr/bin/disabled-network-by-security-misc
-install can /usr/bin/disabled-network-by-security-misc
+install brcm80211 /usr/bin/disabled-network-by-security-misc
 install decnet /usr/bin/disabled-network-by-security-misc
 install dccp /usr/bin/disabled-network-by-security-misc
 install econet /usr/bin/disabled-network-by-security-misc
+install eepro100 /usr/bin/disabled-network-by-security-misc
+install eth1394 /usr/bin/disabled-network-by-security-misc
 install ipx /usr/bin/disabled-network-by-security-misc
 install n-hdlc /usr/bin/disabled-network-by-security-misc
 install netrom /usr/bin/disabled-network-by-security-misc
 install p8022 /usr/bin/disabled-network-by-security-misc
 install p8023 /usr/bin/disabled-network-by-security-misc
 install psnap /usr/bin/disabled-network-by-security-misc
-install rds /usr/bin/disabled-network-by-security-misc
 install rose /usr/bin/disabled-network-by-security-misc
-install sctp /usr/bin/disabled-network-by-security-misc
-install tipc /usr/bin/disabled-network-by-security-misc
 install x25 /usr/bin/disabled-network-by-security-misc
+##
+## Asynchronous Transfer Mode (ATM):
+##
+install atm /usr/bin/disabled-network-by-security-misc
+install ueagle-atm /usr/bin/disabled-network-by-security-misc
+install usbatm /usr/bin/disabled-network-by-security-misc
+install xusbatm /usr/bin/disabled-network-by-security-misc
+##
+## Controller Area Network (CAN) Protocol:
+##
+install c_can /usr/bin/disabled-network-by-security-misc
+install c_can_pci /usr/bin/disabled-network-by-security-misc
+install c_can_platform /usr/bin/disabled-network-by-security-misc
+install can /usr/bin/disabled-network-by-security-misc
+install can-bcm /usr/bin/disabled-network-by-security-misc
+install can-dev /usr/bin/disabled-network-by-security-misc
+install can-gw /usr/bin/disabled-network-by-security-misc
+install can-isotp /usr/bin/disabled-network-by-security-misc
+install can-raw /usr/bin/disabled-network-by-security-misc
+install can-j1939 /usr/bin/disabled-network-by-security-misc
+install can327 /usr/bin/disabled-network-by-security-misc
+install ifi_canfd /usr/bin/disabled-network-by-security-misc
+install janz-ican3 /usr/bin/disabled-network-by-security-misc
+install m_can /usr/bin/disabled-network-by-security-misc
+install m_can_pci /usr/bin/disabled-network-by-security-misc
+install m_can_platform /usr/bin/disabled-network-by-security-misc
+install phy-can-transceiver /usr/bin/disabled-network-by-security-misc
+install slcan /usr/bin/disabled-network-by-security-misc
+install ucan /usr/bin/disabled-network-by-security-misc
+install vxcan /usr/bin/disabled-network-by-security-misc
+install vcan /usr/bin/disabled-network-by-security-misc
+##
+## Transparent Inter Process Communication (TIPC):
+##
+install tipc /usr/bin/disabled-network-by-security-misc
+install tipc_diag /usr/bin/disabled-network-by-security-misc
+##
+## Reliable Datagram Sockets (RDS):
+##
+install rds /usr/bin/disabled-network-by-security-misc
+install rds_rdma /usr/bin/disabled-network-by-security-misc
+install rds_tcp /usr/bin/disabled-network-by-security-misc
+##
+## Stream Control Transmission Protocol (SCTP):
+##
+install sctp /usr/bin/disabled-network-by-security-misc
+install sctp_diag /usr/bin/disabled-network-by-security-misc
 
 ## Miscellaneous:
 ##
+## Amateur Radios:
+##
+install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
+##
+## Floppy Disks:
+##
+install floppy /usr/bin/disabled-miscellaneous-by-security-misc
+##
 ## Vivid:
 ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
 ##
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 ##
-install vivid /usr/bin/disabled-vivid-by-security-misc
+install vivid /usr/bin/disabled-miscellaneous-by-security-misc
 
 ## Thunderbolt:
 ## Disables Thunderbolt modules to prevent some DMA attacks.
 ##
 ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
 ##
+install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc
@@ -5,6 +5,6 @@
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
 
-echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 
 exit 1
diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc
@@ -5,6 +5,6 @@
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
 
-echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 
 exit 1
diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc
@@ -5,6 +5,6 @@
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
 
-echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 
 exit 1
diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc
@@ -5,6 +5,6 @@
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
 
-echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 
 exit 1
diff --git a/usr/bin/disabled-vivid-by-security-misc → ...n/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-vivid-by-security-misc → ...n/disabled-miscellaneous-by-security-misc
@@ -5,6 +5,6 @@
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
 
-echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 
 exit 1
diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc
@@ -5,6 +5,6 @@
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
 
-echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
+echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 
 exit 1