- Disable a Kernel Module on Oracle Linux
- Objectives
- What Do You Need?
- Setup the Lab Environment
- Disable the btrfs Module
- Kernel hardening: Disable and blacklist Linux modules
- Blacklisting modules
- Blacklisting firewire
- Gathering module information
- See blacklisted modules
- Disable modules
- Conclusion
- Useful commands
- How to disable a kernel module on Linux?
- What is a kernel Module?
- Permanently disable a kernel module
- Disable a kernel module temporarily
- Conclusion
- Disable a Kernel Module on Oracle Linux
- Objectives
- What Do You Need?
- Setup the Lab Environment
- Disable the btrfs Module
Disable a Kernel Module on Oracle Linux
In this lab you unload a kernel module on an Oracle Linux instance and configure the system to prevent the module from loading at boot time. You can use this knowledge to disable kernel modules for hardware that might be causing a problem on a system or that may be flagged for a vulnerability.
Objectives
This lab shows how to disable the btrfs Linux kernel module on Oracle Linux and to prevent it from loading at boot time. The btrfs module is used for demonstration purposes but you could use the same procedure to disable any other Linux kernel module on a system. The main steps are outlined below:
- Disable the module using modprobe
- Add the module to the kernel module deny list
- Create a backup of the existing initramfs
- Rebuild the initramfs by using dracut to exclude the module
Note: Disabling modules can have unintended consequences and can prevent a system from booting properly or from being fully functional after boot. In this tutorial we demonstrate creating a backup ramdisk image as best practice to make sure that you are able to recover in the event that a change prevents boot.
What Do You Need?
Setup the Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Disable the btrfs Module
- Check that the btrfs module is loaded on the system by running the lsmod command.
Kernel hardening: Disable and blacklist Linux modules
The Linux kernel is modular, which makes it more flexible than monolithic kernels. New functionality can be easily added to a run kernel, by loading the related module. While that is great, it can also be misused. You can think of loading malicious modules (e.g. rootkits), or unauthorized access to the server and copy data via a USB port. In our previous article about kernel modules, we looked at how to prevent loading any module. In this case, we specifically disallow the ones we don’t want.
Blacklisting modules
Blacklisting modules is one way to disallow them. This defines which modules should no longer be loaded. However, it will only limit the loading of modules during the boot process. You can still load a module manually after booting.
Blacklisting a module is simple. Create a file in the /etc/modprobe.d directory and give it a proper name (e.g. blacklist-module.conf).
Blacklisting firewire
Let’s say we want to blacklist firewire. We first have to determine what modules are available. By using find, we can quickly determine the related kernel drivers:
[root@arch kernel]# find /lib/modules/`uname -r` -name *firewire* /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-ohci.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-core.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-sbp2.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-net.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/media/firewire /lib/modules/4.0.1-1-ARCH/kernel/drivers/staging/fwserial/firewire-serial.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/sound/firewire /lib/modules/4.0.1-1-ARCH/kernel/sound/firewire/snd-firewire-lib.ko.gz
Now we know there are multiple modules, most part of the drivers and one in the sound section. If we want to disable all these modules, we could simply blacklist them all. Or block the generic category.
Gathering module information
By using modinfo, we can gather the details about a particular module. In this case, we have a look at the snd-firewire-lib module and see what it does:
modinfo shows on which a module depends
We can see it depends on firewire-core. Let’s have a look at the firewire-core module itself:
Details of firewire core module
The details of the firewire-core module show that is responsible for firewire itself. It is the core unit itself and doing the transaction logic within the IEEE1394 protocol specifications. We can see it is depending on the CRC-ITU-T standard.
By blacklisting the firewire-core, we effectively disable any module depending on it. In this case, we don’t blacklist the crc-itu-t module, to prevent other modules from properly functioning.
The related snippet to blacklist would be:
/etc/modprobe.d/blacklist-firewire.conf
See blacklisted modules
To see what modules are currently blacklisted, we can use the modprobe command:
[root@arch kernel]# modprobe --showconfig | grep blacklist blacklist firewire_core
This will show all modules which are blacklisted.
Disable modules
The next level of blacklisting modules is to actually disable them. This way they won’t be loaded unintentionally.
To disable a module, we have to redirect a module via the install option. Modprobe will try to load the related file. By defining a module as /bin/true, it won’t be loaded.
Using the install option we can avoid loading modules
To see what modules are currently disabled via install, we can use modprobe as well:
[root@arch kernel]# modprobe --showconfig | grep "^install" | grep "/bin" install firewire_core /bin/true install firewire_ohci /bin/true
Note: the root user can still override settings, by using the –ignore-install parameter. In that case, the module can still be loaded.
Besides the install routine, there is also an alias option. This might be used to redirect a module to /dev/null for example.
Conclusion
By using the right combination of blacklist, install and alias, we can disallow the loading of Linux kernel modules. They form the first level of defense against unintentional and unauthorized module loading. By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure things are really tightened. Even the root user can not load any modules anymore.
Useful commands
When working with kernel modules, here are some of the most common commands:
- Blacklisted and disabled modules
- modprobe –showconfig | egrep “^(blacklist|install)”
- find /lib/modules/`uname -r` -print
- lsmod
- modprobe module
- modprobe -r module
- modinfo module
Questions or other tips? Share it in the comments.
One more thing.
Keep learning
So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.
Security scanning with Lynis and Lynis Enterprise
Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.
How to disable a kernel module on Linux?
A long time ago, Linux had a lot of hardware problems. Nowadays, they have not disappeared completely but it is fair to say that practically everything is supported. Precisely that is the reason why many times the Linux kernel has incorporated many modules for hardware that we do not use. Then, with some knowledge, we will be able to disable a kernel module on Linux.
What is a kernel Module?
First of all, it is harassing to know what a Kernel module is. A kernel module is a fragment of the object code that is incorporated into the kernel to extend its functionality. Generally, modules are integrated into the kernel to support a new hardware or file system. It is even possible to find modules that add other capabilities to the kernel such as improvements in the data processing.
Therefore, for each piece or component of hardware that we own, it is necessary that there is a module in the kernel that recognizes it. The problem, sometimes, is that the Linux kernel has loaded modules that we will probably never use. So, in some cases, it’s a good idea to disable them.
Note: Be careful disabling kernel modules. A bad decision could cause problems in your system.
It is possible to disable a kernel module permanently or temporarily. All this, according to our needs.
Permanently disable a kernel module
For this post, I will pose the following situation. There is a kernel module called floppy that manages a floppy disk drive. Currently, practically no equipment uses floppy disks, so loading that module is unnecessary. In addition, it slows down the system startup and consumes resource. So, let’s disable it.
To do this, you need to create a blacklist file and add that module.
:~$ su :~# nano /etc/modprobe.d/local-blacklist.conf
Then, save the file and then close it.
However, if the module is dependent on another module, it will be loaded even though it has been blacklisted. Therefore, it is necessary to add one more parameter.
If the kernel module is part of initramfs (boot configuration), the initramfs must be regenerated.
After that, reboot the system.
On the other hand, before performing this process verify that the module is not in /etc/modprobe.conf, /etc/modprobe.d/, /etc/rc.modules or /etc/sysconfig/modules/.
Disable a kernel module temporarily
Now. It is possible to disable a kernel module temporarily. Useful in certain cases to test a specific function. To do this, simply run the following command:
And that’s it. That way you can disable it. If you want to reverse this, you can enable it again.
Finally, if you want to list all enabled modules
Conclusion
Disabling even a kernel module is a delicate thing but it can help us to have more control over our Linux distribution. In addition to this, it is time to improve system performance.
Please share this post with your friends.
Disable a Kernel Module on Oracle Linux
In this lab you unload a kernel module on an Oracle Linux instance and configure the system to prevent the module from loading at boot time. You can use this knowledge to disable kernel modules for hardware that might be causing a problem on a system or that may be flagged for a vulnerability.
Objectives
This lab shows how to disable the btrfs Linux kernel module on Oracle Linux and to prevent it from loading at boot time. The btrfs module is used for demonstration purposes but you could use the same procedure to disable any other Linux kernel module on a system. The main steps are outlined below:
- Disable the module using modprobe
- Add the module to the kernel module deny list
- Create a backup of the existing initramfs
- Rebuild the initramfs by using dracut to exclude the module
Note: Disabling modules can have unintended consequences and can prevent a system from booting properly or from being fully functional after boot. In this tutorial we demonstrate creating a backup ramdisk image as best practice to make sure that you are able to recover in the event that a change prevents boot.
What Do You Need?
Setup the Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Disable the btrfs Module
- Check that the btrfs module is loaded on the system by running the lsmod command.