From 604d839537c409604ed2c4c88992ea1a31368f6f Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 12:30:26 +0000
Subject: [PATCH 01/10] 99_ipv6-privacy-extensions.conf

---
 etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf

diff --git a/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf
new file mode 100644
index 00000000..b44948dc
--- /dev/null
+++ b/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf
@@ -0,0 +1,2 @@
+[Network]
+IPv6PrivacyExtensions=kernel

From e90f62eaabfeee7483af573ef8e9d015ba1977dc Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 12:34:15 +0000
Subject: [PATCH 02/10] 99_randomize_mac.conf

---
 etc/NetworkManager/conf.d/99_randomize_mac.conf | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 etc/NetworkManager/conf.d/99_randomize_mac.conf

diff --git a/etc/NetworkManager/conf.d/99_randomize_mac.conf b/etc/NetworkManager/conf.d/99_randomize_mac.conf
new file mode 100644
index 00000000..16018009
--- /dev/null
+++ b/etc/NetworkManager/conf.d/99_randomize_mac.conf
@@ -0,0 +1,6 @@
+[device-mac-randomization]
+wifi.scan-rand-mac-address=yes
+
+[connection-mac-randomization]
+ethernet.cloned-mac-address=random
+wifi.cloned-mac-address=random

From 3d4b04fddc16067ed345074683281e74f41eeadf Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 12:35:39 +0000
Subject: [PATCH 03/10] 99_ipv6-privacy.conf

---
 etc/NetworkManager/conf.d/99_ipv6-privacy.conf | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 etc/NetworkManager/conf.d/99_ipv6-privacy.conf

diff --git a/etc/NetworkManager/conf.d/99_ipv6-privacy.conf b/etc/NetworkManager/conf.d/99_ipv6-privacy.conf
new file mode 100644
index 00000000..a70549aa
--- /dev/null
+++ b/etc/NetworkManager/conf.d/99_ipv6-privacy.conf
@@ -0,0 +1,2 @@
+[connection]
+ipv6.ip6-privacy=2

From b298d152fc10c66892698d9dcae769a44a32037b Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 14:32:08 +0000
Subject: [PATCH 04/10] 30_security-misc.conf

---
 etc/bluetooth/30_security-misc.conf | 30 +++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 etc/bluetooth/30_security-misc.conf

diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf
new file mode 100644
index 00000000..d3410f2d
--- /dev/null
+++ b/etc/bluetooth/30_security-misc.conf
@@ -0,0 +1,30 @@
+[General]
+# How long to stay in pairable mode before going back to non-discoverable
+# The value is in seconds. Default is 0.
+# 0 = disable timer, i.e. stay pairable forever
+PairableTimeout = 30
+
+# How long to stay in discoverable mode before going back to non-discoverable
+# The value is in seconds. Default is 180, i.e. 3 minutes.
+# 0 = disable timer, i.e. stay discoverable forever
+DiscoverableTimeout = 30
+
+# Maximum number of controllers allowed to be exposed to the system.
+# Default=0 (unlimited)
+MaxControllers=1
+
+# How long to keep temporary devices around
+# The value is in seconds. Default is 30.
+# 0 = disable timer, i.e. never keep temporary devices
+TemporaryTimeout = 0 
+
+[Policy]
+# AutoEnable defines option to enable all controllers when they are found.
+# This includes adapters present on start as well as adapters that are plugged
+# in later on. Defaults to 'true'.
+AutoEnable=false
+
+# network/on: A device will only accept advertising packets from peer
+# devices that contain private addresses. It may not be compatible with some
+# legacy devices since it requires the use of RPA(s) all the time.
+Privacy=network/on

From 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 14:34:21 +0000
Subject: [PATCH 05/10] 30_security-misc.conf

---
 etc/modprobe.d/30_security-misc.conf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 128ab9c7..a01ed815 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -11,8 +11,11 @@ options nf_conntrack nf_conntrack_helper=0
 
 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/disabled-bluetooth-by-security-misc
-install btusb /bin/disabled-bluetooth-by-security-misc
+#
+## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
+#
+# install bluetooth /bin/disabled-bluetooth-by-security-misc
+# install btusb /bin/disabled-bluetooth-by-security-misc
 
 ## Disable thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/disabled-thunderbolt-by-security-misc

From 90a88225a4fde2f09cc14b24f8467bb1ded90c9d Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 14:38:31 +0000
Subject: [PATCH 06/10]  security-misc.maintscript

---
 debian/security-misc.maintscript | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript
index f1664ee2..50c12520 100644
--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@@ -49,3 +49,6 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf
 rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
 rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
 
+## replaced with privacy conscious configurations for bluetooth
+## not to hinder day to day usage
+rm_conffile /bin/disabled-bluetooth-by-security-misc

From fc8e201e84e4c777c087fd113c539ca368fd3a31 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Fri, 27 Oct 2023 14:49:24 +0000
Subject: [PATCH 07/10] rename

---
 .../conf.d/{99_randomize_mac.conf => 99_randomize-mac.conf}       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename etc/NetworkManager/conf.d/{99_randomize_mac.conf => 99_randomize-mac.conf} (100%)

diff --git a/etc/NetworkManager/conf.d/99_randomize_mac.conf b/etc/NetworkManager/conf.d/99_randomize-mac.conf
similarity index 100%
rename from etc/NetworkManager/conf.d/99_randomize_mac.conf
rename to etc/NetworkManager/conf.d/99_randomize-mac.conf

From 76e684cc0ac0544219d200eeefae1356864fe702 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Wed, 1 Nov 2023 17:51:27 +0000
Subject: [PATCH 08/10] Update and rename
 etc/NetworkManager/conf.d/99_ipv6-privacy.conf to
 usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf

---
 {etc => usr/lib}/NetworkManager/conf.d/99_ipv6-privacy.conf | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {etc => usr/lib}/NetworkManager/conf.d/99_ipv6-privacy.conf (100%)

diff --git a/etc/NetworkManager/conf.d/99_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf
similarity index 100%
rename from etc/NetworkManager/conf.d/99_ipv6-privacy.conf
rename to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf

From 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Wed, 1 Nov 2023 17:52:40 +0000
Subject: [PATCH 09/10] Update and rename
 etc/NetworkManager/conf.d/99_randomize-mac.conf to
 usr/lib/NetworkManager/conf.d/99_randomize-mac.conf

---
 {etc => usr/lib}/NetworkManager/conf.d/99_randomize-mac.conf | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {etc => usr/lib}/NetworkManager/conf.d/99_randomize-mac.conf (100%)

diff --git a/etc/NetworkManager/conf.d/99_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/99_randomize-mac.conf
similarity index 100%
rename from etc/NetworkManager/conf.d/99_randomize-mac.conf
rename to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf

From 229032d691c614a926cf3cf96b44752364e4e087 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Wed, 1 Nov 2023 17:54:05 +0000
Subject: [PATCH 10/10] Rename
 etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to
 usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf

---
 .../lib}/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {etc => usr/lib}/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf (100%)

diff --git a/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf
similarity index 100%
rename from etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf
rename to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf