How to Disable Kernel module installation capability in Unix Based operating system?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.
PS :
I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.
I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.
linux-kernel security kernel-modules
add a comment |
As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.
PS :
I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.
I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.
linux-kernel security kernel-modules
You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?
– Jeff Schaller♦
Mar 10 at 13:29
add a comment |
As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.
PS :
I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.
I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.
linux-kernel security kernel-modules
As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.
PS :
I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.
I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.
linux-kernel security kernel-modules
linux-kernel security kernel-modules
edited Mar 10 at 13:28
Jeff Schaller♦
44.7k1163145
44.7k1163145
asked Mar 10 at 7:52
comey macdonaldcomey macdonald
104
104
You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?
– Jeff Schaller♦
Mar 10 at 13:29
add a comment |
You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?
– Jeff Schaller♦
Mar 10 at 13:29
You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?
– Jeff Schaller♦
Mar 10 at 13:29
You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?
– Jeff Schaller♦
Mar 10 at 13:29
add a comment |
1 Answer
1
active
oldest
votes
There are several things you could do:
Block kernel module loading until the system is rebooted
Simply run echo 1 > /proc/sys/kernel/modules_disabled
After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.
This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.
Ensure that only trustworthy modules can be loaded in the first place
These methods will allow you to have your cake and eat it too:
If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y
and CONFIG_MODULE_SIG_FORCE=y
).
Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN
kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.
And of course, there is the hard-core option...
Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled
This is old-school, but can still be applicable if your hardware configuration is very stable.
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505428%2fhow-to-disable-kernel-module-installation-capability-in-unix-based-operating-sys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are several things you could do:
Block kernel module loading until the system is rebooted
Simply run echo 1 > /proc/sys/kernel/modules_disabled
After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.
This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.
Ensure that only trustworthy modules can be loaded in the first place
These methods will allow you to have your cake and eat it too:
If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y
and CONFIG_MODULE_SIG_FORCE=y
).
Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN
kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.
And of course, there is the hard-core option...
Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled
This is old-school, but can still be applicable if your hardware configuration is very stable.
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
add a comment |
There are several things you could do:
Block kernel module loading until the system is rebooted
Simply run echo 1 > /proc/sys/kernel/modules_disabled
After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.
This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.
Ensure that only trustworthy modules can be loaded in the first place
These methods will allow you to have your cake and eat it too:
If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y
and CONFIG_MODULE_SIG_FORCE=y
).
Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN
kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.
And of course, there is the hard-core option...
Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled
This is old-school, but can still be applicable if your hardware configuration is very stable.
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
add a comment |
There are several things you could do:
Block kernel module loading until the system is rebooted
Simply run echo 1 > /proc/sys/kernel/modules_disabled
After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.
This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.
Ensure that only trustworthy modules can be loaded in the first place
These methods will allow you to have your cake and eat it too:
If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y
and CONFIG_MODULE_SIG_FORCE=y
).
Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN
kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.
And of course, there is the hard-core option...
Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled
This is old-school, but can still be applicable if your hardware configuration is very stable.
There are several things you could do:
Block kernel module loading until the system is rebooted
Simply run echo 1 > /proc/sys/kernel/modules_disabled
After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.
This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.
Ensure that only trustworthy modules can be loaded in the first place
These methods will allow you to have your cake and eat it too:
If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y
and CONFIG_MODULE_SIG_FORCE=y
).
Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN
kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.
And of course, there is the hard-core option...
Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled
This is old-school, but can still be applicable if your hardware configuration is very stable.
answered Mar 10 at 9:51
telcoMtelcoM
20.7k12452
20.7k12452
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
add a comment |
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.
– comey macdonald
Mar 10 at 10:27
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?
– Jeff Schaller♦
Mar 10 at 12:03
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505428%2fhow-to-disable-kernel-module-installation-capability-in-unix-based-operating-sys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?
– Jeff Schaller♦
Mar 10 at 13:29