[ubuntu-hardened] Blocking module loading and System booting.
kees at ubuntu.com
Fri May 15 22:25:59 UTC 2015
On Fri, May 15, 2015 at 02:43:18PM -0700, Seth Arnold wrote:
> On Fri, May 15, 2015 at 08:29:19PM +0200, Daniel Curtis wrote:
> > I would ask about a block module loading which is offered
> > as a one of the Ubuntu security feature . The advantage
> > of this kind of defense is that it could prevent system
> > damage etc.
> > One of such defense is to remove capability of loadable
> > kernel modules entirely. So, if I set a block module loading
> > via setting "1" in /proc/sys/kernel/modules_disabled, then
> > system will start normally without any issues?
> > Of course modules loading (after user log in) will be
> > impossible, but Ubuntu will load all necessary modules and start/boot
> > normally, right? (I mean before user login). And
> > ready to use, just like before blocking module loading?
> Hello Daniel,
> If you wish to disable module loading, I recommend doing so via
> /etc/rc.local; I believe this will run after the rest of the startup
> tasks, which should on-demand load whatever is needed during early boot.
> Before doing this, it would be a good idea to look through the output of
> lsmod on a running, working, system, and configuring whatever modules you
> need in /etc/modules-load.d/ manually -- some tasks like VPNs or ecryptfs
> mounts or CIFS mounts might cause modules to be loaded well after boot,
> and if your environment relies upon these modules, it'd be best to ensure
> they are loaded before preventing further module loading.
> I hope this helps.
It turns out it's not as simple as putting this in rc.local, as this may
still race things in /etc/init. I recommend an upstart job that makes sure
both module-init-tools and 'rc' (the fall-back sysv script runner) have
finished. For example, as /etc/init/modules-disable.conf:
# modules-disable - disable modules after rc scripts are done
description "disable loading modules"
start on stopped kmod and stopped rc
echo 1 > /proc/sys/kernel/modules_disabled
Anything you may need "on demand" (like, a usb keyboard in a colocation
facility), add to /etc/modules ahead of time so they get preloaded.
More information about the ubuntu-hardened