CISS.debian.installer/includes/target/etc/modprobe.d/0000_ciss_debian_installer.cnf

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

# The kernel allows unprivileged users to indirectly cause certain modules to be loaded via module auto-loading. This allows an
# attacker to auto-load a vulnerable module which is then exploited. One such example is CVE-2017-6074, in which an attacker
# could trigger the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a vulnerability in said
# kernel module. Specific kernel modules can be blacklisted by inserting files into '/etc/modprobe.d' with instructions on which
# kernel modules to blacklist.

##### Disable Uncommon Network Protocols #####

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install p8022 /bin/true
install can /bin/true
install atm /bin/true

#	DCCP	    Datagram Congestion Control Protocol
#	SCTP	    Stream Control Transmission Protocol
#	RDS	      Reliable Datagram Sockets
#	TIPC	    Transparent Inter-process Communication
#	HDLC	    High-Level Data Link Control
#	AX25	    Amateur X.25
#	NetRom
#	X25
#	ROSE
#	DECnet
#	Econet
#	af_802154	IEEE 802.15.4
#	IPX		    Internetwork Packet Exchange
#	AppleTalk
#	PSNAP		  Subnetwork Access Protocol
#	p8023		  Novell raw IEEE 802.3
#	p8022		  IEEE 802.2
#	CAN		    Controller Area Network
#	ATM


##### Disable Uncommon Filesystems #####
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

blacklist cramfs
blacklist freevxfs
blacklist jffs2
blacklist hfs
blacklist hfsplus
blacklist squashfs
blacklist udf


##### Disable Uncommon Network Filesystems #####
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
install gfs2 /bin/true

blacklist cifs
blacklist nfs
blacklist nfsv3
blacklist nfsv4
blacklist ksmbd
blacklist gfs2


# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
install vivid /bin/true


##### Disable access to USB #####
install usb_storage /bin/true
blacklist usb-storage


##### Disable access to IEEE1394 #####
install firewire-core /bin/true


##### Blacklist automatic loading of miscellaneous modules #####
##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco #####
# evbug is a debug tool that should be loaded explicitly
blacklist evbug
# these drivers are very simple
blacklist usbmouse
blacklist usbkbd
# causes no end of confusion by creating unexpected network interfaces
blacklist eth1394
# ugly and loud noise, getting on everyone's nerves
blacklist pcspkr

# Descriptions partly Copyright (c) 2022 madaidan, https://madaidans-insecurities.github.io/index.html
# Descriptions partly Copyright https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf