V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf

@@ -0,0 +1,114 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# The kernel allows unprivileged users to indirectly cause certain modules to be loaded
+# via module auto-loading. This allows an attacker to auto-load a vulnerable module which
+# is then exploited. One such example is CVE-2017-6074, in which an attacker could trigger
+# the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a
+# vulnerability in said kernel module.
+# Specific kernel modules can be blacklisted by inserting files into /etc/modprobe.d with
+# instructions on which kernel modules to blacklist.
+
+##### Disable Uncommon Network Protocols #####
+
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
+install n-hdlc /bin/true
+install ax25 /bin/true
+install netrom /bin/true
+install x25 /bin/true
+install rose /bin/true
+install decnet /bin/true
+install econet /bin/true
+install af_802154 /bin/true
+install ipx /bin/true
+install appletalk /bin/true
+install psnap /bin/true
+install p8023 /bin/true
+install p8022 /bin/true
+install can /bin/true
+install atm /bin/true
+
+#	DCCP      Datagram Congestion Control Protocol
+#	SCTP      Stream Control Transmission Protocol
+#	RDS       Reliable Datagram Sockets
+#	TIPC      Transparent Inter-process Communication
+#	HDLC      High-Level Data Link Control
+#	AX25      Amateur X.25
+#	NetRom
+#	X25
+#	ROSE
+#	DECnet
+#	Econet
+#	af_802154 IEEE 802.15.4
+#	IPX       Internetwork Packet Exchange
+#	AppleTalk
+#	PSNAP     Subnetwork Access Protocol
+#	p8023     Novell raw IEEE 802.3
+#	p8022     IEEE 802.2
+#	CAN       Controller Area Network
+#	ATM
+
+##### Disable Uncommon Filesystems #####
+install cramfs /bin/true
+install freevxfs /bin/true
+install jffs2 /bin/true
+install hfs /bin/true
+install hfsplus /bin/true
+install udf /bin/true
+
+blacklist cramfs
+blacklist freevxfs
+blacklist jffs2
+blacklist hfs
+blacklist hfsplus
+blacklist udf
+
+##### Disable Uncommon Network Filesystems #####
+install cifs /bin/true
+install nfs /bin/true
+install nfsv3 /bin/true
+install nfsv4 /bin/true
+install ksmbd /bin/true
+install gfs2 /bin/true
+
+blacklist cifs
+blacklist nfs
+blacklist nfsv3
+blacklist nfsv4
+blacklist ksmbd
+blacklist gfs2
+
+# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
+install vivid /bin/true
+
+##### Disable access to USB #####
+install usb_storage /bin/true
+blacklist usb-storage
+
+##### Disable access to IEEE1394 #####
+install firewire-core /bin/true
+
+##### Blacklist automatic loading of miscellaneous modules #####
+##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco #####
+# evbug is a debug tool that should be loaded explicitly
+blacklist evbug
+# these drivers are very simple
+blacklist usbmouse
+blacklist usbkbd
+# causes no end of confusion by creating unexpected network interfaces
+blacklist eth1394
+# ugly and loud noise, getting on everyone's nerves
+blacklist pcspkr
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh