3.1.2 Ensure wireless interfaces are disabled

Information

Wireless networking is used when wired networks are unavailable. Debian contains a wireless tool kit to allow system administrators to configure and use wireless networks.

Rationale:

If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface.

Impact:

Many if not all laptop workstations and some desktop workstations will connect via wireless requiring these interfaces be enabled.

Solution

Run the following script to disable any wireless interfaces:

#!/bin/bash

if command -v nmcli >/dev/null 2>&1 ; then
nmcli radio all off
else
if [ -n '$(find /sys/class/net/*/ -type d -name wireless)' ]; then
drivers=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename '$(readlink -f '$driverdir'/device/driver)';done | sort -u)
for dm in $drivers; do
echo 'install $dm /bin/true' >> /etc/modprobe.d/disable_wireless.conf
done
fi
fi

Additional Information:

Edited to correct scripts. Do we need to remove other references to a wireless driver from /etc/modprobe.d/? The test system I used had a file iwlwifi.conf to load the correct drivers.

See Also

https://workbench.cisecurity.org/files/3219