Merge remote-tracking branch 'raja/modules'

2025-07-31 14:48:38 -04:00 · 2024-07-13 06:14:43 -04:00 · 2024-07-13 06:14:43 -04:00 · f34b9d7c45
commit f34b9d7c45
parent 05c1711b16 5f10cc8bcf
14 changed files with 206 additions and 183 deletions
--- a/README.md
+++ b/README.md
@ -122,63 +122,46 @@ preventing new modules from being loaded. Since this isn't configured directly
 within systemctl, it does not break the loading of legitimate and necessary
 modules for the user, like drivers etc., given they are plugged in on startup.
-#### Disables and blacklists kernel modules
+#### Blacklist and disable kernel modules
-Certain kernel modules are disabled and blacklisted by default to reduce attack
+Certain kernel modules are blacklisted by default to reduce attack surface via
-surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file.
+`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
 modules from automatically starting.
-   Deactivates Netfilter's connection tracking helper - this module increases
+-   CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
    kernel attack surface by enabling superfluous functionality such as IRC
    parsing in the kernel. Hence, this feature is disabled.
-   Thunderbolt and numerous FireWire kernel modules are also disabled as they
+-   Conntrack: Deactivates Netfilter's connection tracking helper - this module
-    are often vulnerable to DMA attacks.
+    increases kernel attack surface by enabling superfluous functionality such
    as IRC parsing in the kernel. Hence, this feature is disabled.
-   The MSR kernel module is disabled to prevent CPU MSRs from being abused to
+-   Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause 
-    write to arbitrary memory.
+    kernel panics, and are generally only used by legacy devices. 
-   Uncommon network protocols are blacklisted. This includes:
+-   Miscellaneous: Blacklist an assortment other modules to prevent them from
    automatically loading.
-    -   DCCP - Datagram Congestion Control Protocol
+Specific kernel modules are entirely disabled to reduce attack surface via
-    -   SCTP - Stream Control Transmission Protocol
+`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
-    -   RDS - Reliable Datagram Sockets
+modules from starting. This approach should not be considered comprehensive,
-    -   TIPC - Transparent Inter-process Communication
+rather it is a form of badness enumeration.
    -   HDLC - High-Level Data Link Control
    -   AX25 - Amateur X.25
    -   NetRom
    -   X25
    -   ROSE
    -   DECnet
    -   Econet
    -   af_802154 - IEEE 802.15.4
    -   IPX - Internetwork Packet Exchange
    -   AppleTalk
    -   PSNAP - Subnetwork Access Protocol
    -   p8023 - Novell raw IEEE 802.3
    -   p8022 - IEEE 802.2
    -   CAN - Controller Area Network
    -   ATM
-   Disables a large array of uncommon file systems and network file systems
+-   File Systems: Disable uncommon and legacy file systems.
    that reduces the attack surface especially against legacy approaches.
-   The vivid kernel module is only required for testing and has been the cause
+-   FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
    of multiple vulnerabilities so it is disabled.
-   Provides some disabling of the interface between the [Intel Management
+-   GPS: Disables GPS-related modules responsible systems such as for Global
-    Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html)
+    Navigation Satellite System (GNSS).
    and the OS.
-   Disables several kernel modules responsible for GPS such as GNSS (Global
+-   Intel Management Engine (ME): Provides some disabling of the interface between the
-    Navigation Satellite System).
+    Intel ME and the OS.
-   Incorporates much of
+-   Network File Systems: Disable uncommon and legacy network file systems.
    [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco)
    default blacklist of modules to be blocked from automatically loading.
    However, they are still permitted to load.
-   Blocks automatic loading of the modules needed to use of CD-ROM devices by
+-   Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
-    default. Not completely disabled yet.
+
 -   Miscellaneous: Disable an assortment other modules such as vivid.
 -   Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
 ### Other
--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf
 rm_conffile /etc/sysctl.d/tcp_hardening.conf
 rm_conffile /etc/sysctl.d/tcp_sack.conf
-## merged into 1 file /etc/modprobe.d/30_security-misc.conf
+## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
 rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
 rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
 rm_conffile /etc/modprobe.d/vivid.conf
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -0,0 +1,80 @@
 ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 ## See the following links for a community discussion and overview regarding the selections.
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
 ## Blacklisting prevents kernel modules from automatically starting.
 ## Disabling prohibits kernel modules from starting.
 ## CD-ROM/DVD:
 ## Blacklist CD-ROM and DVD modules.
 ## Do not disable by default for potential future ISO plans.
 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 #
 blacklist cdrom
 blacklist sr_mod
 #
 #install cdrom /usr/bin/disabled-cdrom-by-security-misc
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc
 ## Conntrack:
 ## Disable automatic conntrack helper assignment.
 ## https://phabricator.whonix.org/T486
 #
 options nf_conntrack nf_conntrack_helper=0
 ## Framebuffer Drivers:
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
 #
 blacklist aty128fb
 blacklist atyfb
 blacklist cirrusfb
 blacklist cyber2000fb
 blacklist cyblafb
 blacklist gx1fb
 blacklist hgafb
 blacklist i810fb
 blacklist intelfb
 blacklist kyrofb
 blacklist lxfb
 blacklist matroxfb_bases
 blacklist neofb
 blacklist nvidiafb
 blacklist pm2fb
 blacklist radeonfb
 blacklist rivafb
 blacklist s1d13xxxfb
 blacklist savagefb
 blacklist sisfb
 blacklist sstfb
 blacklist tdfxfb
 blacklist tridentfb
 blacklist vesafb
 blacklist vfb
 blacklist viafb
 blacklist vt8623fb
 blacklist udlfb
 ## Miscellaneous:
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
 #
 blacklist ath_pci
 blacklist amd76x_edac
 blacklist asus_acpi
 blacklist bcm43xx
 blacklist eepro100
 blacklist eth1394
 blacklist evbug
 blacklist de4x5
 blacklist garmin_gps
 blacklist pcspkr
 blacklist prism54
 blacklist snd_aw2
 blacklist snd_intel8x0m
 blacklist snd_pcsp
 blacklist usbkbd
 blacklist usbmouse
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@ -1,159 +1,119 @@
 ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
-## See the following links for a community discussion and overview regarding the selections
+## See the following links for a community discussion and overview regarding the selections.
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
-## Disable automatic conntrack helper assignment
+## Blacklisting prevents kernel modules from automatically starting.
-## https://phabricator.whonix.org/T486
+## Disabling prohibits kernel modules from starting.
 options nf_conntrack nf_conntrack_helper=0
-## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
+## Bluetooth:
 ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 #
-## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
+## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
 #
-# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
-# install btusb /usr/bin/disabled-bluetooth-by-security-misc
+#install btusb /usr/bin/disabled-bluetooth-by-security-misc
 ## Disable thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install firewire-core /usr/bin/disabled-firewire-by-security-misc
 install firewire_core /usr/bin/disabled-firewire-by-security-misc
 install firewire-net /usr/bin/disabled-firewire-by-security-misc
 install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
 install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
 install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
 install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
 install ohci1394 /usr/bin/disabled-firewire-by-security-misc
 install sbp2 /usr/bin/disabled-firewire-by-security-misc
 install dv1394 /usr/bin/disabled-firewire-by-security-misc
 install raw1394 /usr/bin/disabled-firewire-by-security-misc
 install video1394 /usr/bin/disabled-firewire-by-security-misc
 ## CPU Model-Specific Registers (MSRs):
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 ## https://github.com/Kicksecure/security-misc/issues/215
 #
 #install msr /usr/bin/disabled-msr-by-security-misc
-## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+## File Systems:
-## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+## Disable uncommon file systems to reduce attack surface.
-## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format.
-## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
+#
 install dccp /usr/bin/disabled-network-by-security-misc
 install sctp /usr/bin/disabled-network-by-security-misc
 install rds /usr/bin/disabled-network-by-security-misc
 install tipc /usr/bin/disabled-network-by-security-misc
 install n-hdlc /usr/bin/disabled-network-by-security-misc
 install ax25 /usr/bin/disabled-network-by-security-misc
 install netrom /usr/bin/disabled-network-by-security-misc
 install x25 /usr/bin/disabled-network-by-security-misc
 install rose /usr/bin/disabled-network-by-security-misc
 install decnet /usr/bin/disabled-network-by-security-misc
 install econet /usr/bin/disabled-network-by-security-misc
 install af_802154 /usr/bin/disabled-network-by-security-misc
 install ipx /usr/bin/disabled-network-by-security-misc
 install appletalk /usr/bin/disabled-network-by-security-misc
 install psnap /usr/bin/disabled-network-by-security-misc
 install p8023 /usr/bin/disabled-network-by-security-misc
 install p8022 /usr/bin/disabled-network-by-security-misc
 install can /usr/bin/disabled-network-by-security-misc
 install atm /usr/bin/disabled-network-by-security-misc
 ## Disable uncommon file systems to reduce attack surface
 ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
 install cramfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
 install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
 install hfsplus /usr/bin/disabled-filesys-by-security-misc
 install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install udf /usr/bin/disabled-filesys-by-security-misc
-## Disable uncommon network file systems to reduce attack surface
+## FireWire (IEEE 1394):
-install cifs /usr/bin/disabled-netfilesys-by-security-misc
+## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
-install nfs /usr/bin/disabled-netfilesys-by-security-misc
+## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
-install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
+#
-install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
+install dv1394 /usr/bin/disabled-firewire-by-security-misc
-install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
+install firewire-core /usr/bin/disabled-firewire-by-security-misc
-install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
+install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
 install firewire-net /usr/bin/disabled-firewire-by-security-misc
 install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
 install ohci1394 /usr/bin/disabled-firewire-by-security-misc
 install raw1394 /usr/bin/disabled-firewire-by-security-misc
 install sbp2 /usr/bin/disabled-firewire-by-security-misc
 install video1394 /usr/bin/disabled-firewire-by-security-misc
-## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+## Global Positioning Systems (GPS):
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
+#
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /usr/bin/disabled-vivid-by-security-misc
 ## Disable Intel Management Engine (ME) interface with the OS
 ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /usr/bin/disabled-intelme-by-security-misc
 install mei-me /usr/bin/disabled-intelme-by-security-misc
 # Disable GPS modules like GNSS (Global Navigation Satellite System)
 install gnss /usr/bin/disabled-gps-by-security-misc
 install gnss-mtk /usr/bin/disabled-gps-by-security-misc
 install gnss-serial /usr/bin/disabled-gps-by-security-misc
 install gnss-sirf /usr/bin/disabled-gps-by-security-misc
 install gnss-usb /usr/bin/disabled-gps-by-security-misc
 install gnss-ubx /usr/bin/disabled-gps-by-security-misc
 install gnss-usb /usr/bin/disabled-gps-by-security-misc
-## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
+## Intel Management Engine (ME):
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+## Partially disable the Intel ME interface with the OS.
-blacklist ath_pci
+## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 #
 install mei /usr/bin/disabled-intelme-by-security-misc
 install mei-me /usr/bin/disabled-intelme-by-security-misc
-## Blacklist automatic loading of miscellaneous modules
+## Network File Systems:
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## Disable uncommon network file systems to reduce attack surface.
-blacklist evbug
+#
-blacklist usbmouse
+install cifs /usr/bin/disabled-netfilesys-by-security-misc
-blacklist usbkbd
+install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
-blacklist eepro100
+install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
-blacklist de4x5
+install nfs /usr/bin/disabled-netfilesys-by-security-misc
-blacklist eth1394
+install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
-blacklist snd_intel8x0m
+install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
 blacklist snd_aw2
 blacklist prism54
 blacklist bcm43xx
 blacklist garmin_gps
 blacklist asus_acpi
 blacklist snd_pcsp
 blacklist pcspkr
 blacklist amd76x_edac
-## Blacklist automatic loading of framebuffer drivers
+## Network Protocols:
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
-blacklist aty128fb
+## https://tails.boum.org/blueprint/blacklist_modules/
-blacklist atyfb
+## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols)
-blacklist radeonfb
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
-blacklist cirrusfb
+#
-blacklist cyber2000fb
+install af_802154 /usr/bin/disabled-network-by-security-misc
-blacklist cyblafb
+install appletalk /usr/bin/disabled-network-by-security-misc
-blacklist gx1fb
+install atm /usr/bin/disabled-network-by-security-misc
-blacklist hgafb
+install ax25 /usr/bin/disabled-network-by-security-misc
-blacklist i810fb
+install can /usr/bin/disabled-network-by-security-misc
-blacklist intelfb
+install decnet /usr/bin/disabled-network-by-security-misc
-blacklist kyrofb
+install dccp /usr/bin/disabled-network-by-security-misc
-blacklist lxfb
+install econet /usr/bin/disabled-network-by-security-misc
-blacklist matroxfb_bases
+install ipx /usr/bin/disabled-network-by-security-misc
-blacklist neofb
+install n-hdlc /usr/bin/disabled-network-by-security-misc
-blacklist nvidiafb
+install netrom /usr/bin/disabled-network-by-security-misc
-blacklist pm2fb
+install p8022 /usr/bin/disabled-network-by-security-misc
-blacklist rivafb
+install p8023 /usr/bin/disabled-network-by-security-misc
-blacklist s1d13xxxfb
+install psnap /usr/bin/disabled-network-by-security-misc
-blacklist savagefb
+install rds /usr/bin/disabled-network-by-security-misc
-blacklist sisfb
+install rose /usr/bin/disabled-network-by-security-misc
-blacklist sstfb
+install sctp /usr/bin/disabled-network-by-security-misc
-blacklist tdfxfb
+install tipc /usr/bin/disabled-network-by-security-misc
-blacklist tridentfb
+install x25 /usr/bin/disabled-network-by-security-misc
 blacklist vesafb
 blacklist vfb
 blacklist viafb
 blacklist vt8623fb
 blacklist udlfb
-## Disable CD-ROM devices
+## Miscellaneous:
-## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+#
-## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+## Vivid:
-#install cdrom /usr/bin/disabled-cdrom-by-security-misc
+## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
-#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-blacklist cdrom
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
-blacklist sr_mod
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 #
 install vivid /usr/bin/disabled-vivid-by-security-misc
 ## Thunderbolt:
 ## Disables Thunderbolt modules to prevent some DMA attacks.
 ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
 #
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
--- a/usr/bin/disabled-bluetooth-by-security-misc
+++ b/usr/bin/disabled-bluetooth-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-cdrom-by-security-misc
+++ b/usr/bin/disabled-cdrom-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-filesys-by-security-misc
+++ b/usr/bin/disabled-filesys-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-firewire-by-security-misc
+++ b/usr/bin/disabled-firewire-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-gps-by-security-misc
+++ b/usr/bin/disabled-gps-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-intelme-by-security-misc
+++ b/usr/bin/disabled-intelme-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-netfilesys-by-security-misc
+++ b/usr/bin/disabled-netfilesys-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-network-by-security-misc
+++ b/usr/bin/disabled-network-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-thunderbolt-by-security-misc
+++ b/usr/bin/disabled-thunderbolt-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1
--- a/usr/bin/disabled-vivid-by-security-misc
+++ b/usr/bin/disabled-vivid-by-security-misc
@ -5,6 +5,6 @@
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2
 exit 1