Merge remote-tracking branch 'raja/modules'

2024-10-01 08:25:45 -04:00 · 2024-07-13 06:14:43 -04:00 · 2024-07-13 06:14:43 -04:00 · f34b9d7c45
commit f34b9d7c45
parent 05c1711b16 5f10cc8bcf
14 changed files with 206 additions and 183 deletions
--- a/README.md
+++ b/README.md
@ -122,63 +122,46 @@ preventing new modules from being loaded. Since this isn't configured directly
 within systemctl, it does not break the loading of legitimate and necessary
 modules for the user, like drivers etc., given they are plugged in on startup.

-#### Disables and blacklists kernel modules
+#### Blacklist and disable kernel modules

-Certain kernel modules are disabled and blacklisted by default to reduce attack
-surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file.
+Certain kernel modules are blacklisted by default to reduce attack surface via
+`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
+modules from automatically starting.

-   Deactivates Netfilter's connection tracking helper - this module increases
-    kernel attack surface by enabling superfluous functionality such as IRC
-    parsing in the kernel. Hence, this feature is disabled.
+-   CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.

-   Thunderbolt and numerous FireWire kernel modules are also disabled as they
-    are often vulnerable to DMA attacks.
+-   Conntrack: Deactivates Netfilter's connection tracking helper - this module
+    increases kernel attack surface by enabling superfluous functionality such
+    as IRC parsing in the kernel. Hence, this feature is disabled.

-   The MSR kernel module is disabled to prevent CPU MSRs from being abused to
-    write to arbitrary memory.
+-   Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause 
+    kernel panics, and are generally only used by legacy devices. 

-   Uncommon network protocols are blacklisted. This includes:
+-   Miscellaneous: Blacklist an assortment other modules to prevent them from
+    automatically loading.

-    -   DCCP - Datagram Congestion Control Protocol
-    -   SCTP - Stream Control Transmission Protocol
-    -   RDS - Reliable Datagram Sockets
-    -   TIPC - Transparent Inter-process Communication
-    -   HDLC - High-Level Data Link Control
-    -   AX25 - Amateur X.25
-    -   NetRom
-    -   X25
-    -   ROSE
-    -   DECnet
-    -   Econet
-    -   af_802154 - IEEE 802.15.4
-    -   IPX - Internetwork Packet Exchange
-    -   AppleTalk
-    -   PSNAP - Subnetwork Access Protocol
-    -   p8023 - Novell raw IEEE 802.3
-    -   p8022 - IEEE 802.2
-    -   CAN - Controller Area Network
-    -   ATM
+Specific kernel modules are entirely disabled to reduce attack surface via
+`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
+modules from starting. This approach should not be considered comprehensive,
+rather it is a form of badness enumeration.

-   Disables a large array of uncommon file systems and network file systems
-    that reduces the attack surface especially against legacy approaches.
+-   File Systems: Disable uncommon and legacy file systems.

-   The vivid kernel module is only required for testing and has been the cause
-    of multiple vulnerabilities so it is disabled.
+-   FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.

-   Provides some disabling of the interface between the [Intel Management
-    Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html)
-    and the OS.
+-   GPS: Disables GPS-related modules responsible systems such as for Global
+    Navigation Satellite System (GNSS).

-   Disables several kernel modules responsible for GPS such as GNSS (Global
-    Navigation Satellite System).
+-   Intel Management Engine (ME): Provides some disabling of the interface between the
+    Intel ME and the OS.

-   Incorporates much of
-    [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco)
-    default blacklist of modules to be blocked from automatically loading.
-    However, they are still permitted to load.
+-   Network File Systems: Disable uncommon and legacy network file systems.

-   Blocks automatic loading of the modules needed to use of CD-ROM devices by
-    default. Not completely disabled yet.
+-   Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
+
+-   Miscellaneous: Disable an assortment other modules such as vivid.
+
+-   Thunderbolt: Disabled as they are often vulnerable to DMA attacks.

 ### Other

--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
 rm_conffile /etc/sysctl.d/tcp_hardening.conf
 rm_conffile /etc/sysctl.d/tcp_sack.conf

-## merged into 1 file /etc/modprobe.d/30_security-misc.conf
+## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
 rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
 rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
 rm_conffile /etc/modprobe.d/vivid.conf
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -0,0 +1,80 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections.
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.
+
+## CD-ROM/DVD:
+## Blacklist CD-ROM and DVD modules.
+## Do not disable by default for potential future ISO plans.
+## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+#
+blacklist cdrom
+blacklist sr_mod
+#
+#install cdrom /usr/bin/disabled-cdrom-by-security-misc
+#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
+
+## Conntrack:
+## Disable automatic conntrack helper assignment.
+## https://phabricator.whonix.org/T486
+#
+options nf_conntrack nf_conntrack_helper=0
+
+## Framebuffer Drivers:
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+#
+blacklist aty128fb
+blacklist atyfb
+blacklist cirrusfb
+blacklist cyber2000fb
+blacklist cyblafb
+blacklist gx1fb
+blacklist hgafb
+blacklist i810fb
+blacklist intelfb
+blacklist kyrofb
+blacklist lxfb
+blacklist matroxfb_bases
+blacklist neofb
+blacklist nvidiafb
+blacklist pm2fb
+blacklist radeonfb
+blacklist rivafb
+blacklist s1d13xxxfb
+blacklist savagefb
+blacklist sisfb
+blacklist sstfb
+blacklist tdfxfb
+blacklist tridentfb
+blacklist vesafb
+blacklist vfb
+blacklist viafb
+blacklist vt8623fb
+blacklist udlfb
+
+## Miscellaneous:
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+#
+blacklist ath_pci
+blacklist amd76x_edac
+blacklist asus_acpi
+blacklist bcm43xx
+blacklist eepro100
+blacklist eth1394
+blacklist evbug
+blacklist de4x5
+blacklist garmin_gps
+blacklist pcspkr
+blacklist prism54
+blacklist snd_aw2
+blacklist snd_intel8x0m
+blacklist snd_pcsp
+blacklist usbkbd
+blacklist usbmouse
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@ -1,159 +1,119 @@
 ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.

-## See the following links for a community discussion and overview regarding the selections
+## See the following links for a community discussion and overview regarding the selections.
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules

-## Disable automatic conntrack helper assignment
-## https://phabricator.whonix.org/T486
-options nf_conntrack nf_conntrack_helper=0
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.

-## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
+## Bluetooth:
+## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 #
-## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
+## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
 #
-# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
-# install btusb /usr/bin/disabled-bluetooth-by-security-misc
-
-## Disable thunderbolt and firewire modules to prevent some DMA attacks
-install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
-install firewire-core /usr/bin/disabled-firewire-by-security-misc
-install firewire_core /usr/bin/disabled-firewire-by-security-misc
-install firewire-net /usr/bin/disabled-firewire-by-security-misc
-install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
-install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
-install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
-install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
-install ohci1394 /usr/bin/disabled-firewire-by-security-misc
-install sbp2 /usr/bin/disabled-firewire-by-security-misc
-install dv1394 /usr/bin/disabled-firewire-by-security-misc
-install raw1394 /usr/bin/disabled-firewire-by-security-misc
-install video1394 /usr/bin/disabled-firewire-by-security-misc
+#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+#install btusb /usr/bin/disabled-bluetooth-by-security-misc

+## CPU Model-Specific Registers (MSRs):
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 ## https://github.com/Kicksecure/security-misc/issues/215
+#
 #install msr /usr/bin/disabled-msr-by-security-misc

-## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
-## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
-## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
-## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-install dccp /usr/bin/disabled-network-by-security-misc
-install sctp /usr/bin/disabled-network-by-security-misc
-install rds /usr/bin/disabled-network-by-security-misc
-install tipc /usr/bin/disabled-network-by-security-misc
-install n-hdlc /usr/bin/disabled-network-by-security-misc
-install ax25 /usr/bin/disabled-network-by-security-misc
-install netrom /usr/bin/disabled-network-by-security-misc
-install x25 /usr/bin/disabled-network-by-security-misc
-install rose /usr/bin/disabled-network-by-security-misc
-install decnet /usr/bin/disabled-network-by-security-misc
-install econet /usr/bin/disabled-network-by-security-misc
-install af_802154 /usr/bin/disabled-network-by-security-misc
-install ipx /usr/bin/disabled-network-by-security-misc
-install appletalk /usr/bin/disabled-network-by-security-misc
-install psnap /usr/bin/disabled-network-by-security-misc
-install p8023 /usr/bin/disabled-network-by-security-misc
-install p8022 /usr/bin/disabled-network-by-security-misc
-install can /usr/bin/disabled-network-by-security-misc
-install atm /usr/bin/disabled-network-by-security-misc
-
-## Disable uncommon file systems to reduce attack surface
-## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
+## File Systems:
+## Disable uncommon file systems to reduce attack surface.
+## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
+#
 install cramfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
-install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
 install hfsplus /usr/bin/disabled-filesys-by-security-misc
+install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install udf /usr/bin/disabled-filesys-by-security-misc

-## Disable uncommon network file systems to reduce attack surface
-install cifs /usr/bin/disabled-netfilesys-by-security-misc
-install nfs /usr/bin/disabled-netfilesys-by-security-misc
-install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
-install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
-install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
-install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
+## FireWire (IEEE 1394):
+## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
+## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
+#
+install dv1394 /usr/bin/disabled-firewire-by-security-misc
+install firewire-core /usr/bin/disabled-firewire-by-security-misc
+install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
+install firewire-net /usr/bin/disabled-firewire-by-security-misc
+install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
+install ohci1394 /usr/bin/disabled-firewire-by-security-misc
+install raw1394 /usr/bin/disabled-firewire-by-security-misc
+install sbp2 /usr/bin/disabled-firewire-by-security-misc
+install video1394 /usr/bin/disabled-firewire-by-security-misc

-## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
-## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /usr/bin/disabled-vivid-by-security-misc
-
-## Disable Intel Management Engine (ME) interface with the OS
-## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
-install mei /usr/bin/disabled-intelme-by-security-misc
-install mei-me /usr/bin/disabled-intelme-by-security-misc
-
-# Disable GPS modules like GNSS (Global Navigation Satellite System)
+## Global Positioning Systems (GPS):
+## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
+#
 install gnss /usr/bin/disabled-gps-by-security-misc
 install gnss-mtk /usr/bin/disabled-gps-by-security-misc
 install gnss-serial /usr/bin/disabled-gps-by-security-misc
 install gnss-sirf /usr/bin/disabled-gps-by-security-misc
-install gnss-usb /usr/bin/disabled-gps-by-security-misc
 install gnss-ubx /usr/bin/disabled-gps-by-security-misc
+install gnss-usb /usr/bin/disabled-gps-by-security-misc

-## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
-blacklist ath_pci
+## Intel Management Engine (ME):
+## Partially disable the Intel ME interface with the OS.
+## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+#
+install mei /usr/bin/disabled-intelme-by-security-misc
+install mei-me /usr/bin/disabled-intelme-by-security-misc

-## Blacklist automatic loading of miscellaneous modules
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
-blacklist evbug
-blacklist usbmouse
-blacklist usbkbd
-blacklist eepro100
-blacklist de4x5
-blacklist eth1394
-blacklist snd_intel8x0m
-blacklist snd_aw2
-blacklist prism54
-blacklist bcm43xx
-blacklist garmin_gps
-blacklist asus_acpi
-blacklist snd_pcsp
-blacklist pcspkr
-blacklist amd76x_edac
+## Network File Systems:
+## Disable uncommon network file systems to reduce attack surface.
+#
+install cifs /usr/bin/disabled-netfilesys-by-security-misc
+install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
+install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
+install nfs /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc

-## Blacklist automatic loading of framebuffer drivers
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
-blacklist aty128fb
-blacklist atyfb
-blacklist radeonfb
-blacklist cirrusfb
-blacklist cyber2000fb
-blacklist cyblafb
-blacklist gx1fb
-blacklist hgafb
-blacklist i810fb
-blacklist intelfb
-blacklist kyrofb
-blacklist lxfb
-blacklist matroxfb_bases
-blacklist neofb
-blacklist nvidiafb
-blacklist pm2fb
-blacklist rivafb
-blacklist s1d13xxxfb
-blacklist savagefb
-blacklist sisfb
-blacklist sstfb
-blacklist tdfxfb
-blacklist tridentfb
-blacklist vesafb
-blacklist vfb
-blacklist viafb
-blacklist vt8623fb
-blacklist udlfb
+## Network Protocols:
+## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
+## https://tails.boum.org/blueprint/blacklist_modules/
+## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
+#
+install af_802154 /usr/bin/disabled-network-by-security-misc
+install appletalk /usr/bin/disabled-network-by-security-misc
+install atm /usr/bin/disabled-network-by-security-misc
+install ax25 /usr/bin/disabled-network-by-security-misc
+install can /usr/bin/disabled-network-by-security-misc
+install decnet /usr/bin/disabled-network-by-security-misc
+install dccp /usr/bin/disabled-network-by-security-misc
+install econet /usr/bin/disabled-network-by-security-misc
+install ipx /usr/bin/disabled-network-by-security-misc
+install n-hdlc /usr/bin/disabled-network-by-security-misc
+install netrom /usr/bin/disabled-network-by-security-misc
+install p8022 /usr/bin/disabled-network-by-security-misc
+install p8023 /usr/bin/disabled-network-by-security-misc
+install psnap /usr/bin/disabled-network-by-security-misc
+install rds /usr/bin/disabled-network-by-security-misc
+install rose /usr/bin/disabled-network-by-security-misc
+install sctp /usr/bin/disabled-network-by-security-misc
+install tipc /usr/bin/disabled-network-by-security-misc
+install x25 /usr/bin/disabled-network-by-security-misc

-## Disable CD-ROM devices
-## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
-## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
-#install cdrom /usr/bin/disabled-cdrom-by-security-misc
-#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
-blacklist cdrom
-blacklist sr_mod
+## Miscellaneous:
+#
+## Vivid:
+## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+#
+install vivid /usr/bin/disabled-vivid-by-security-misc
+
+## Thunderbolt:
+## Disables Thunderbolt modules to prevent some DMA attacks.
+## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
+#
+install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
--- a/usr/bin/disabled-bluetooth-by-security-misc
+++ b/usr/bin/disabled-bluetooth-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-cdrom-by-security-misc
+++ b/usr/bin/disabled-cdrom-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-filesys-by-security-misc
+++ b/usr/bin/disabled-filesys-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-firewire-by-security-misc
+++ b/usr/bin/disabled-firewire-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-gps-by-security-misc
+++ b/usr/bin/disabled-gps-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-intelme-by-security-misc
+++ b/usr/bin/disabled-intelme-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-netfilesys-by-security-misc
+++ b/usr/bin/disabled-netfilesys-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-network-by-security-misc
+++ b/usr/bin/disabled-network-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-thunderbolt-by-security-misc
+++ b/usr/bin/disabled-thunderbolt-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1
--- a/usr/bin/disabled-vivid-by-security-misc
+++ b/usr/bin/disabled-vivid-by-security-misc
@ -5,6 +5,6 @@

 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

-echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2

 exit 1