merge the many modprobe.d config files into 1

and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file

debian/security-misc.maintscript

@@ -25,3 +25,10 @@ rm_conffile /etc/sysctl.d/coredumps.conf
 rm_conffile /etc/sysctl.d/kexec.conf
 rm_conffile /etc/sysctl.d/tcp_hardening.conf
 rm_conffile /etc/sysctl.d/tcp_sack.conf
+
+rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
+rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
+rm_conffile /etc/modprobe.d/vivid.conf
+rm_conffile /etc/modprobe.d/blacklist-dma.conf
+rm_conffile /etc/modprobe.d/msr.conf
+rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf

etc/modprobe.d/30_nf_conntrack_helper_disable.conf

@@ -1,2 +0,0 @@
-## https://phabricator.whonix.org/T486
-options nf_conntrack nf_conntrack_helper=0

etc/modprobe.d/30_security-misc.conf

@@ -0,0 +1,54 @@
+## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://phabricator.whonix.org/T486
+options nf_conntrack nf_conntrack_helper=0
+
+# Blacklists bluetooth to reduce attack surface.
+# Bluetooth also has a history of security vulnerabilities:
+#
+# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+install bluetooth /bin/false
+install btusb /bin/false
+
+# Blacklist thunderbolt and firewire to prevent some DMA attacks.
+install firewire-core /bin/false
+install thunderbolt /bin/false
+
+# Blacklist CPU MSRs as they can be abused to write to
+# arbitrary memory.
+install msr /bin/false
+
+# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+#
+# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+#
+# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+#
+# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
+#
+install dccp /bin/false
+install sctp /bin/false
+install rds /bin/false
+install tipc /bin/false
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+
+## Blacklists the vivid kernel module as it's only required for
+## testing and has been the cause of multiple vulnerabilities.
+##
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+install vivid /bin/false

etc/modprobe.d/blacklist-bluetooth.conf

@@ -1,6 +0,0 @@
-# Blacklists bluetooth to reduce attack surface.
-# Bluetooth also has a history of security vulnerabilities:
-#
-# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/false
-install btusb /bin/false

etc/modprobe.d/blacklist-dma.conf

@@ -1,3 +0,0 @@
-# Blacklist thunderbolt and firewire to prevent some DMA attacks.
-install firewire-core /bin/false
-install thunderbolt /bin/false

etc/modprobe.d/msr.conf

@@ -1,3 +0,0 @@
-# Blacklist CPU MSRs as they can be abused to write to
-# arbitrary memory.
-install msr /bin/false

etc/modprobe.d/uncommon-network-protocols.conf

@@ -1,25 +0,0 @@
-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
-#
-# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
-#
-# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
-#
-# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-#
-install dccp /bin/false
-install sctp /bin/false
-install rds /bin/false
-install tipc /bin/false
-install n-hdlc /bin/false
-install ax25 /bin/false
-install netrom /bin/false
-install x25 /bin/false
-install rose /bin/false
-install decnet /bin/false
-install econet /bin/false
-install af_802154 /bin/false
-install ipx /bin/false
-install appletalk /bin/false
-install psnap /bin/false
-install p8023 /bin/false
-install p8022 /bin/false

etc/modprobe.d/vivid.conf

@@ -1,10 +0,0 @@
-## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-## See the file COPYING for copying conditions.
-
-## Blacklists the vivid kernel module as it's only required for
-## testing and has been the cause of multiple vulnerabilities.
-##
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
-## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/false