Kernel hardening: Disable and blacklist Linux modules

The Linux kernel is modular, which makes it more flexible than monolithic kernels. New functionality can be easily added to a run kernel, by loading the related module. While that is great, it can also be misused. You can think of loading malicious modules (e.g. rootkits), or unauthorized access to the server and copy data via a USB port. In our previous article about kernel modules, we looked at how to prevent loading any module. In this case, we specifically disallow the ones we don’t want.

Blacklisting modules

Blacklisting modules is one way to disallow them. This defines which modules should no longer be loaded. However, it will only limit the loading of modules during the boot process. You can still load a module manually after booting.

Blacklisting a module is simple. Create a file in the /etc/modprobe.d directory and give it a proper name (e.g. blacklist-module.conf).

Blacklisting firewire

Let’s say we want to blacklist firewire. We first have to determine what modules are available. By using find, we can quickly determine the related kernel drivers:

Now we know there are multiple modules, most part of the drivers and one in the sound section. If we want to disable all these modules, we could simply blacklist them all. Or block the generic category.

Gathering module information

By using modinfo, we can gather the details about a particular module. In this case, we have a look at the snd-firewire-lib module and see what it does:

We can see it depends on firewire-core. Let’s have a look at the firewire-core module itself:

The details of the firewire-core module show that is responsible for firewire itself. It is the core unit itself and doing the transaction logic within the IEEE1394 protocol specifications. We can see it is depending on the CRC-ITU-T standard.

By blacklisting the firewire-core, we effectively disable any module depending on it. In this case, we don’t blacklist the crc-itu-t module, to prevent other modules from properly functioning.

The related snippet to blacklist would be:

/etc/modprobe.d/blacklist-firewire.conf

blacklist firewire-core

See blacklisted modules

To see what modules are currently blacklisted, we can use the modprobe command:

This will show all modules which are blacklisted.

Disable modules

The next level of blacklisting modules is to actually disable them. This way they won’t be loaded unintentionally.

To disable a module, we have to redirect a module via the install option. Modprobe will try to load the related file. By defining a module as /bin/true, it won’t be loaded.

To see what modules are currently disabled via install, we can use modprobe as well:

Note: the root user can still override settings, by using the -ignore-install parameter. In that case, the module can still be loaded.

Besides the install routine, there is also an alias option. This might be used to redirect a module to /dev/null for example.

Conclusion

By using the right combination of blacklist, install and alias, we can disallow the loading of Linux kernel modules. They form the first level of defense against unintentional and unauthorized module loading. By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure things are really tightened. Even the root user can not load any modules anymore.

Useful commands

When working with kernel modules, here are some of the most common commands:

  • Blacklisted and disabled modules
    • modprobe -showconfig | egrep “^(blacklist|install)”
  • Find modules
    • find /lib/modules/`uname -r` -print
  • Show loaded modules
    • lsmod
  • Load module
    • modprobe module
  • Unload module
    • modprobe -r module
  • Module details
    • modinfo module

Questions or other tips? Share it in the comments.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon