[ubuntu-hardened] Blocking module loading and System booting.
seth.arnold at canonical.com
Fri May 15 21:43:18 UTC 2015
On Fri, May 15, 2015 at 08:29:19PM +0200, Daniel Curtis wrote:
> I would ask about a block module loading which is offered
> as a one of the Ubuntu security feature . The advantage
> of this kind of defense is that it could prevent system
> damage etc.
> One of such defense is to remove capability of loadable
> kernel modules entirely. So, if I set a block module loading
> via setting "1" in /proc/sys/kernel/modules_disabled, then
> system will start normally without any issues?
> Of course modules loading (after user log in) will be
> impossible, but Ubuntu will load all necessary modules and start/boot
> normally, right? (I mean before user login). And
> ready to use, just like before blocking module loading?
If you wish to disable module loading, I recommend doing so via
/etc/rc.local; I believe this will run after the rest of the startup
tasks, which should on-demand load whatever is needed during early boot.
Before doing this, it would be a good idea to look through the output of
lsmod on a running, working, system, and configuring whatever modules you
need in /etc/modules-load.d/ manually -- some tasks like VPNs or ecryptfs
mounts or CIFS mounts might cause modules to be loaded well after boot,
and if your environment relies upon these modules, it'd be best to ensure
they are loaded before preventing further module loading.
I hope this helps.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: Digital signature
More information about the ubuntu-hardened