Merge remote-tracking branch 'origin/master'

debian/control

@@ -97,9 +97,47 @@ Description: enhances misc security settings
  .
  All mitigations for the MDS vulnerability are enabled.
  .
- Uncommon network protocols are blacklisted as they are rarely used and
+ Uncommon network protocols are blacklisted in /etc/modprobe.d/uncommon-network-protocols.conf as they are rarely used and
  may have unknown vulnerabilities.
  .
+ The network protocols that are blacklisted are
+ .
+ * DCCP - Datagram Congestion Control Protocol
+ .
+ * SCTP - Stream Control Transmission Protocol
+ .
+ * RDS - Reliable Datagram Sockets
+ .
+ * TIPC - Transparent Inter-process Communication
+ .
+ * HDLC - High-Level Data Link Control
+ .
+ * AX25 - Amateur X.25
+ .
+ * NetRom
+ .
+ * X25
+ .
+ * ROSE
+ .
+ * DECnet
+ .
+ * Econet
+ .
+ * af_802154 - IEEE 802.15.4
+ .
+ * IPX - Internetwork Packet Exchange
+ .
+ * AppleTalk
+ .
+ * PSNAP - Subnetwork Access Protocol
+ .
+ * p8023 - Novell raw IEEE 802.3
+ .
+ * LLC - IEEE 802.2
+ .
+ * p8022 - IEEE 802.2
+ .
  The kernel logs are restricted to root only.
  .
  A systemd service clears System.map on boot as these contain kernel symbols

etc/modprobe.d/uncommon-network-protocols.conf

@@ -1,4 +1,11 @@
 # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+#
+# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+# 
+# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+#
+# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
+#
 install dccp /bin/true
 install sctp /bin/true
 install rds /bin/true