How to Disable Kernel module installation capability in Unix Based operating system?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.



PS :



I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.



I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.










share|improve this question
























  • You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?

    – Jeff Schaller
    Mar 10 at 13:29

















0















As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.



PS :



I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.



I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.










share|improve this question
























  • You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?

    – Jeff Schaller
    Mar 10 at 13:29













0












0








0








As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.



PS :



I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.



I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.










share|improve this question
















As we are living in the Linux kernel rootkit era, Is there any way to Disable any additional module to load into operating system kernel by any user or any operation or command , in Unix? some sort of locking down the kernel space.



PS :



I know we can remove any compiler tools and some hardening, but i am looking for additional protection in Kernel space and critical files and directory in its use.



I know we could remove insmod tool in /sbin/insmod, but somebody could recopy it to OS and use it again.







linux-kernel security kernel-modules






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 10 at 13:28









Jeff Schaller

44.7k1163145




44.7k1163145










asked Mar 10 at 7:52









comey macdonaldcomey macdonald

104




104












  • You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?

    – Jeff Schaller
    Mar 10 at 13:29

















  • You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?

    – Jeff Schaller
    Mar 10 at 13:29
















You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?

– Jeff Schaller
Mar 10 at 13:29





You used the word "Linux" once in your question, but the word "UNIX" twice. Are you interested, in this question, about only the Linux OS? Or others, including IRIX, HP-UX, AIX, Solaris, etc?

– Jeff Schaller
Mar 10 at 13:29










1 Answer
1






active

oldest

votes


















2














There are several things you could do:



Block kernel module loading until the system is rebooted



Simply run echo 1 > /proc/sys/kernel/modules_disabled



After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.



This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.



Ensure that only trustworthy modules can be loaded in the first place



These methods will allow you to have your cake and eat it too:



If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y and CONFIG_MODULE_SIG_FORCE=y).



Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.



And of course, there is the hard-core option...



Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled



This is old-school, but can still be applicable if your hardware configuration is very stable.






share|improve this answer























  • Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

    – comey macdonald
    Mar 10 at 10:27











  • @comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

    – Jeff Schaller
    Mar 10 at 12:03











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505428%2fhow-to-disable-kernel-module-installation-capability-in-unix-based-operating-sys%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














There are several things you could do:



Block kernel module loading until the system is rebooted



Simply run echo 1 > /proc/sys/kernel/modules_disabled



After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.



This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.



Ensure that only trustworthy modules can be loaded in the first place



These methods will allow you to have your cake and eat it too:



If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y and CONFIG_MODULE_SIG_FORCE=y).



Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.



And of course, there is the hard-core option...



Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled



This is old-school, but can still be applicable if your hardware configuration is very stable.






share|improve this answer























  • Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

    – comey macdonald
    Mar 10 at 10:27











  • @comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

    – Jeff Schaller
    Mar 10 at 12:03















2














There are several things you could do:



Block kernel module loading until the system is rebooted



Simply run echo 1 > /proc/sys/kernel/modules_disabled



After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.



This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.



Ensure that only trustworthy modules can be loaded in the first place



These methods will allow you to have your cake and eat it too:



If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y and CONFIG_MODULE_SIG_FORCE=y).



Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.



And of course, there is the hard-core option...



Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled



This is old-school, but can still be applicable if your hardware configuration is very stable.






share|improve this answer























  • Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

    – comey macdonald
    Mar 10 at 10:27











  • @comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

    – Jeff Schaller
    Mar 10 at 12:03













2












2








2







There are several things you could do:



Block kernel module loading until the system is rebooted



Simply run echo 1 > /proc/sys/kernel/modules_disabled



After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.



This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.



Ensure that only trustworthy modules can be loaded in the first place



These methods will allow you to have your cake and eat it too:



If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y and CONFIG_MODULE_SIG_FORCE=y).



Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.



And of course, there is the hard-core option...



Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled



This is old-school, but can still be applicable if your hardware configuration is very stable.






share|improve this answer













There are several things you could do:



Block kernel module loading until the system is rebooted



Simply run echo 1 > /proc/sys/kernel/modules_disabled



After this, no new modules can be loaded for as long as the kernel is running. This setting cannot be reset back to 0 without rebooting.



This still allows loading modules at boot time, but allows you to lock it down once all the necessary modules have been loaded.



Ensure that only trustworthy modules can be loaded in the first place



These methods will allow you to have your cake and eat it too:



If your system has UEFI firmware and Secure Boot is enabled, it is actually a Secure Boot certification requirement that the bootloader must not allow unsigned kernel code to be executed. Most distributions that support Secure Boot will extend this to kernel modules too, using kernel module signing (kernel compile options CONFIG_MODULE_SIG=y and CONFIG_MODULE_SIG_FORCE=y).



Or, if you compile your own kernel, you could enable the CONFIG_SECURITY_LOADPIN kernel compilation option, which adds a requirement that all kernel modules must come from a single filesystem. This could be useful if you've segregated all user-writeable and temporary directories to separate filesystems, or even have your root filesystem read-only in locked-down use.



And of course, there is the hard-core option...



Build your own custom kernel with all the necessary drivers built-in and the module functionality entirely disabled



This is old-school, but can still be applicable if your hardware configuration is very stable.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 10 at 9:51









telcoMtelcoM

20.7k12452




20.7k12452












  • Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

    – comey macdonald
    Mar 10 at 10:27











  • @comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

    – Jeff Schaller
    Mar 10 at 12:03

















  • Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

    – comey macdonald
    Mar 10 at 10:27











  • @comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

    – Jeff Schaller
    Mar 10 at 12:03
















Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

– comey macdonald
Mar 10 at 10:27





Thank you for the answer , but as i understand, there is no way to disable it permanently in the running server.

– comey macdonald
Mar 10 at 10:27













@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

– Jeff Schaller
Mar 10 at 12:03





@comeymacdonald did you try the modules_disabled method? If you set that value at boot-time, it seems to me that would be pretty effective. Also, disabling module support in the kernel sounds like a "permanent disablement " to me as well. How do you see these differently?

– Jeff Schaller
Mar 10 at 12:03

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505428%2fhow-to-disable-kernel-module-installation-capability-in-unix-based-operating-sys%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?