Kicksecure · adrelanos · Nov 5, 2023 · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023
diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript
@@ -49,3 +49,6 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf
 rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
 rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
 
+## replaced with privacy conscious configurations for bluetooth
+## not to hinder day to day usage
+rm_conffile /bin/disabled-bluetooth-by-security-misc
diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf
@@ -0,0 +1,30 @@
+[General]
+# How long to stay in pairable mode before going back to non-discoverable
+# The value is in seconds. Default is 0.
+# 0 = disable timer, i.e. stay pairable forever
+PairableTimeout = 30
+
+# How long to stay in discoverable mode before going back to non-discoverable
+# The value is in seconds. Default is 180, i.e. 3 minutes.
+# 0 = disable timer, i.e. stay discoverable forever
+DiscoverableTimeout = 30
+
+# Maximum number of controllers allowed to be exposed to the system.
+# Default=0 (unlimited)
+MaxControllers=1
+
+# How long to keep temporary devices around
+# The value is in seconds. Default is 30.
+# 0 = disable timer, i.e. never keep temporary devices
+TemporaryTimeout = 0 
+
+[Policy]
+# AutoEnable defines option to enable all controllers when they are found.
+# This includes adapters present on start as well as adapters that are plugged
+# in later on. Defaults to 'true'.
+AutoEnable=false
+
+# network/on: A device will only accept advertising packets from peer
+# devices that contain private addresses. It may not be compatible with some
+# legacy devices since it requires the use of RPA(s) all the time.
+Privacy=network/on
diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
@@ -11,8 +11,11 @@ options nf_conntrack nf_conntrack_helper=0
 
 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/disabled-bluetooth-by-security-misc
-install btusb /bin/disabled-bluetooth-by-security-misc
+#
+## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
+#
+# install bluetooth /bin/disabled-bluetooth-by-security-misc
+# install btusb /bin/disabled-bluetooth-by-security-misc
 
 ## Disable thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/disabled-thunderbolt-by-security-misc

diff --git a/usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf
@@ -0,0 +1,2 @@
+[connection]
+ipv6.ip6-privacy=2
diff --git a/usr/lib/NetworkManager/conf.d/99_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/99_randomize-mac.conf
@@ -0,0 +1,6 @@
+[device-mac-randomization]
+wifi.scan-rand-mac-address=yes
+
+[connection-mac-randomization]
+ethernet.cloned-mac-address=random
+wifi.cloned-mac-address=random
diff --git a/usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf
@@ -0,0 +1,2 @@
+[Network]
+IPv6PrivacyExtensions=kernel