# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu # The kernel allows unprivileged users to indirectly cause certain modules to be loaded # via module auto-loading. This allows an attacker to auto-load a vulnerable module which # is then exploited. One such example is CVE-2017-6074, in which an attacker could trigger # the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a # vulnerability in said kernel module. # Specific kernel modules can be blacklisted by inserting files into /etc/modprobe.d with # instructions on which kernel modules to blacklist. ##### Disable Uncommon Network Protocols ##### install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true install n-hdlc /bin/true install ax25 /bin/true install netrom /bin/true install x25 /bin/true install rose /bin/true install decnet /bin/true install econet /bin/true install af_802154 /bin/true install ipx /bin/true install appletalk /bin/true install psnap /bin/true install p8023 /bin/true install p8022 /bin/true install can /bin/true install atm /bin/true # DCCP Datagram Congestion Control Protocol # SCTP Stream Control Transmission Protocol # RDS Reliable Datagram Sockets # TIPC Transparent Inter-process Communication # HDLC High-Level Data Link Control # AX25 Amateur X.25 # NetRom # X25 # ROSE # DECnet # Econet # af_802154 IEEE 802.15.4 # IPX Internetwork Packet Exchange # AppleTalk # PSNAP Subnetwork Access Protocol # p8023 Novell raw IEEE 802.3 # p8022 IEEE 802.2 # CAN Controller Area Network # ATM ##### Disable Uncommon Filesystems ##### install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install udf /bin/true blacklist cramfs blacklist freevxfs blacklist jffs2 blacklist hfs blacklist hfsplus blacklist udf ##### Disable Uncommon Network Filesystems ##### install cifs /bin/true install nfs /bin/true install nfsv3 /bin/true install nfsv4 /bin/true install ksmbd /bin/true install gfs2 /bin/true blacklist cifs blacklist nfs blacklist nfsv3 blacklist nfsv4 blacklist ksmbd blacklist gfs2 # The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled. install vivid /bin/true ##### Disable access to USB ##### install usb_storage /bin/true blacklist usb-storage ##### Disable access to IEEE1394 ##### install firewire-core /bin/true ##### Blacklist automatic loading of miscellaneous modules ##### ##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ##### # evbug is a debug tool that should be loaded explicitly blacklist evbug # these drivers are very simple blacklist usbmouse blacklist usbkbd # causes no end of confusion by creating unexpected network interfaces blacklist eth1394 # ugly and loud noise, getting on everyone's nerves blacklist pcspkr # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh