All-Things-Docker-and-Kubernetes

Restrict Kernel Modules

Kernel Modules
Restricting Kernel Modules
Disable Loading of USB Storage Modules
Disable Loading of DCCP Module

Kernel Modules

In Linux, the kernel provides the core functionality of the operating system, managing hardware, resources, and providing essential services. However, to keep the kernel itself relatively small and modular, additional functionalities can be added dynamically through kernel modules.

Kernel modules are pieces of code that can be loaded into the running kernel, extending its capabilities without the need to reboot the entire system.

Use Cases:

Hardware Support
- Device drivers as modules for supporting various hardware components.
Filesystem Support
- Additional filesystem modules for handling different filesystem formats.
Network Protocols
- TCP/IP stack components and network protocol modules.
Security Modules
- Modules enhancing system security, such as SELinux and AppArmor.

Security Considerations:

Unauthorized Modules
- Loading of unauthorized or malicious modules can pose security risks.
- Implement measures to restrict and control module loading.
Regular Updates
- Keep modules up to date, especially if they are third-party or not included in the mainline kernel.
Monitoring
- Regularly monitor loaded modules for any unexpected changes or unauthorized additions.

Example Commands:

Load a module:
```
sudo modprobe <module-name>
```
Unload a module:
```
sudo rmmod <module-name>
```
List loaded modules:
```
lsmod
```
View module information:
```
modinfo <module-name>
```

Restricting Kernel Modules

Enhance security by controlling and restricting the loading of kernel modules in a Linux system. This helps prevent unauthorized or malicious modules from being loaded, reducing potential attack vectors.

Methods:

sysctl Configuration:
- Use the sysctl command to configure kernel module loading parameters.
- Edit /etc/sysctl.conf or create a new file in /etc/sysctl.d/ for persistent settings.
```
   # Disable loading of kernel modules
   kernel.modules_disabled = 1
```
  Apply changes:
```
   sudo sysctl -p
```
modprobe Configuration:
- Configure modprobe, the kernel module loader, to restrict module loading.
  
  Example modprobe.conf:
```
   # Restrict loading of USB modules
   install usb-storage /bin/true
```
  Apply changes:
```
   sudo modprobe -r <module-name>
```
Blacklisting Modules:
- Use module blacklisting to prevent specific modules from loading.
- Create or edit /etc/modprobe.d/blacklist.conf.
  
  Example blacklist.conf:
```
   # Blacklist a specific module
   blacklist <module-name>
```
  Apply changes:
```
   sudo update-initramfs -u
```
  We can also reboot the server and check lsmod again.
```
   shutdown -r now 
   lsmod | grep <module>
```

Caution:

Modifying kernel module loading can impact system functionality. Be cautious and understand the implications.
Regularly review and update module restrictions based on security needs.
Document changes and ensure proper testing before applying to production systems.

Disable Loading of USB Storage Modules

Edit /etc/sysctl.conf or create a new file in /etc/sysctl.d/:

# Disable loading of kernel modules
kernel.modules_disabled = 1

Apply changes:

sudo sysctl -p

Create or edit /etc/modprobe.d/blacklist-usb-storage.conf:

# Blacklist USB storage modules
blacklist usb-storage

Apply changes:

sudo update-initramfs -u

Disable Loading of DCCP Module

Another module that we can disable is the Datagram Congestion Control Protocol (DCCP) Module.

## /etc/modprobe.d/blacklist.conf 
blacklist dccp

shutdown -r now 
lsmod | grep dccp

Back to first page

This site is open source. Improve this page.