CISS.debian.live.builder/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf

# bashsupport disable=BP5007

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# The kernel allows unprivileged users to indirectly cause certain modules to be loaded
# via module auto-loading. This allows an attacker to auto-load a vulnerable module which
# is then exploited. One such example is CVE-2017-6074, in which an attacker could trigger
# the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a
# vulnerability in said kernel module.
# Specific kernel modules can be blacklisted by inserting files into /etc/modprobe.d with
# instructions on which kernel modules to blacklist.

##### Disable Uncommon Network Protocols #####

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install p8022 /bin/true
install can /bin/true
install atm /bin/true

#	DCCP      Datagram Congestion Control Protocol
#	SCTP      Stream Control Transmission Protocol
#	RDS       Reliable Datagram Sockets
#	TIPC      Transparent Inter-process Communication
#	HDLC      High-Level Data Link Control
#	AX25      Amateur X.25
#	NetRom
#	X25
#	ROSE
#	DECnet
#	Econet
#	af_802154 IEEE 802.15.4
#	IPX       Internetwork Packet Exchange
#	AppleTalk
#	PSNAP     Subnetwork Access Protocol
#	p8023     Novell raw IEEE 802.3
#	p8022     IEEE 802.2
#	CAN       Controller Area Network
#	ATM

##### Disable Uncommon Filesystems #####
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install udf /bin/true

blacklist cramfs
blacklist freevxfs
blacklist jffs2
blacklist hfs
blacklist hfsplus
blacklist udf

##### Disable Uncommon Network Filesystems #####
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
install gfs2 /bin/true

blacklist cifs
blacklist nfs
blacklist nfsv3
blacklist nfsv4
blacklist ksmbd
blacklist gfs2

# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
install vivid /bin/true

##### Disable access to USB #####
install usb_storage /bin/true
blacklist usb-storage

##### Disable access to IEEE1394 #####
install firewire-core /bin/true

##### Blacklist automatic loading of miscellaneous modules #####
##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco #####
# evbug is a debug tool that should be loaded explicitly
blacklist evbug
# these drivers are very simple
blacklist usbmouse
blacklist usbkbd
# causes no end of confusion by creating unexpected network interfaces
blacklist eth1394
# ugly and loud noise, getting on everyone's nerves
blacklist pcspkr

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh