feat!: disable network protocols and kernel hardening

usr/etc/modprobe.d/30-security_misc.conf

@@ -0,0 +1,63 @@
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <[email protected]>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Disable thunderbolt and firewire modules to prevent some DMA attacks
+install thunderbolt /bin/disabled-thunderbolt-by-security-misc
+install firewire-core /bin/disabled-firewire-by-security-misc
+install firewire_core /bin/disabled-firewire-by-security-misc
+install firewire-ohci /bin/disabled-firewire-by-security-misc
+install firewire_ohci /bin/disabled-firewire-by-security-misc
+install firewire_sbp2 /bin/disabled-firewire-by-security-misc
+install firewire-sbp2 /bin/disabled-firewire-by-security-misc
+install ohci1394 /bin/disabled-firewire-by-security-misc
+install sbp2 /bin/disabled-firewire-by-security-misc
+install dv1394 /bin/disabled-firewire-by-security-misc
+install raw1394 /bin/disabled-firewire-by-security-misc
+install video1394 /bin/disabled-firewire-by-security-misc
+
+## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
+install dccp /bin/disabled-network-by-security-misc
+install sctp /bin/disabled-network-by-security-misc
+install rds /bin/disabled-network-by-security-misc
+install tipc /bin/disabled-network-by-security-misc
+install n-hdlc /bin/disabled-network-by-security-misc
+install ax25 /bin/disabled-network-by-security-misc
+install netrom /bin/disabled-network-by-security-misc
+install x25 /bin/disabled-network-by-security-misc
+install rose /bin/disabled-network-by-security-misc
+install decnet /bin/disabled-network-by-security-misc
+install econet /bin/disabled-network-by-security-misc
+install af_802154 /bin/disabled-network-by-security-misc
+install ipx /bin/disabled-network-by-security-misc
+install appletalk /bin/disabled-network-by-security-misc
+install psnap /bin/disabled-network-by-security-misc
+install p8023 /bin/disabled-network-by-security-misc
+install p8022 /bin/disabled-network-by-security-misc
+install can /bin/disabled-network-by-security-misc
+install atm /bin/disabled-network-by-security-misc
+
+## Disable uncommon file systems to reduce attack surface
+## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
+install freevxfs /bin/disabled-filesys-by-security-misc
+install jffs2 /bin/disabled-filesys-by-security-misc
+install hfs /bin/disabled-filesys-by-security-misc
+install hfsplus /bin/disabled-filesys-by-security-misc
+install udf /bin/disabled-filesys-by-security-misc
+
+## Disable uncommon network file systems to reduce attack surface
+install cifs /bin/disabled-netfilesys-by-security-misc
+install ksmbd /bin/disabled-netfilesys-by-security-misc
+install gfs2 /bin/disabled-netfilesys-by-security-misc
+
+## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+install vivid /bin/disabled-vivid-by-security-misc