Главная » Linux

Linux how to disable module

На чтение 11 мин Просмотров 1 Опубликовано
Содержание
  1. Disable a Kernel Module on Oracle Linux
  2. Objectives
  3. What Do You Need?
  4. Setup the Lab Environment
  5. Disable the btrfs Module
  6. Kernel hardening: Disable and blacklist Linux modules
  7. Blacklisting modules
  8. Blacklisting firewire
  9. Gathering module information
  10. See blacklisted modules
  11. Disable modules
  12. Conclusion
  13. Useful commands
  14. How to disable a kernel module on Linux?
  15. What is a kernel Module?
  16. Permanently disable a kernel module
  17. Disable a kernel module temporarily
  18. Conclusion
  19. Disable a Kernel Module on Oracle Linux
  20. Objectives
  21. What Do You Need?
  22. Setup the Lab Environment
  23. Disable the btrfs Module

Disable a Kernel Module on Oracle Linux

In this lab you unload a kernel module on an Oracle Linux instance and configure the system to prevent the module from loading at boot time. You can use this knowledge to disable kernel modules for hardware that might be causing a problem on a system or that may be flagged for a vulnerability.

Objectives

This lab shows how to disable the btrfs Linux kernel module on Oracle Linux and to prevent it from loading at boot time. The btrfs module is used for demonstration purposes but you could use the same procedure to disable any other Linux kernel module on a system. The main steps are outlined below:

  • Disable the module using modprobe
  • Add the module to the kernel module deny list
  • Create a backup of the existing initramfs
  • Rebuild the initramfs by using dracut to exclude the module

Note: Disabling modules can have unintended consequences and can prevent a system from booting properly or from being fully functional after boot. In this tutorial we demonstrate creating a backup ramdisk image as best practice to make sure that you are able to recover in the event that a change prevents boot.

What Do You Need?

Setup the Lab Environment

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Disable the btrfs Module

  1. Check that the btrfs module is loaded on the system by running the lsmod command.

Источник

Kernel hardening: Disable and blacklist Linux modules

The Linux kernel is modular, which makes it more flexible than monolithic kernels. New functionality can be easily added to a run kernel, by loading the related module. While that is great, it can also be misused. You can think of loading malicious modules (e.g. rootkits), or unauthorized access to the server and copy data via a USB port. In our previous article about kernel modules, we looked at how to prevent loading any module. In this case, we specifically disallow the ones we don’t want.

Blacklisting modules

Blacklisting modules is one way to disallow them. This defines which modules should no longer be loaded. However, it will only limit the loading of modules during the boot process. You can still load a module manually after booting.

Читайте также:  Importerror no module named twisted web kali linux

Blacklisting a module is simple. Create a file in the /etc/modprobe.d directory and give it a proper name (e.g. blacklist-module.conf).

Blacklisting firewire

Let’s say we want to blacklist firewire. We first have to determine what modules are available. By using find, we can quickly determine the related kernel drivers:

[root@arch kernel]# find /lib/modules/`uname -r` -name *firewire* /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-ohci.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-core.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-sbp2.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-net.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/drivers/media/firewire /lib/modules/4.0.1-1-ARCH/kernel/drivers/staging/fwserial/firewire-serial.ko.gz /lib/modules/4.0.1-1-ARCH/kernel/sound/firewire /lib/modules/4.0.1-1-ARCH/kernel/sound/firewire/snd-firewire-lib.ko.gz

Now we know there are multiple modules, most part of the drivers and one in the sound section. If we want to disable all these modules, we could simply blacklist them all. Or block the generic category.

Gathering module information

By using modinfo, we can gather the details about a particular module. In this case, we have a look at the snd-firewire-lib module and see what it does:

Screenshot of modinfo which shows a dependency

modinfo shows on which a module depends

We can see it depends on firewire-core. Let’s have a look at the firewire-core module itself:

Screenshot of modinfo of firewire core module

Details of firewire core module

The details of the firewire-core module show that is responsible for firewire itself. It is the core unit itself and doing the transaction logic within the IEEE1394 protocol specifications. We can see it is depending on the CRC-ITU-T standard.

By blacklisting the firewire-core, we effectively disable any module depending on it. In this case, we don’t blacklist the crc-itu-t module, to prevent other modules from properly functioning.

The related snippet to blacklist would be:

/etc/modprobe.d/blacklist-firewire.conf

See blacklisted modules

To see what modules are currently blacklisted, we can use the modprobe command:

[root@arch kernel]# modprobe --showconfig | grep blacklist blacklist firewire_core

This will show all modules which are blacklisted.

Disable modules

The next level of blacklisting modules is to actually disable them. This way they won’t be loaded unintentionally.

To disable a module, we have to redirect a module via the install option. Modprobe will try to load the related file. By defining a module as /bin/true, it won’t be loaded.

Screenshot of modprobe failing

Using the install option we can avoid loading modules

To see what modules are currently disabled via install, we can use modprobe as well:

[root@arch kernel]# modprobe --showconfig | grep "^install" | grep "/bin" install firewire_core /bin/true install firewire_ohci /bin/true

Note: the root user can still override settings, by using the –ignore-install parameter. In that case, the module can still be loaded.

Besides the install routine, there is also an alias option. This might be used to redirect a module to /dev/null for example.

Conclusion

By using the right combination of blacklist, install and alias, we can disallow the loading of Linux kernel modules. They form the first level of defense against unintentional and unauthorized module loading. By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure things are really tightened. Even the root user can not load any modules anymore.

Читайте также:  Checkpoint endpoint security vpn linux

Useful commands

When working with kernel modules, here are some of the most common commands:

  • Blacklisted and disabled modules
    • modprobe –showconfig | egrep “^(blacklist|install)”
    • find /lib/modules/`uname -r` -print
    • lsmod
    • modprobe module
    • modprobe -r module
    • modinfo module

    Questions or other tips? Share it in the comments.

    One more thing.

    Keep learning

    So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

    Lynis Enterprise screenshot to help with system hardening

    Security scanning with Lynis and Lynis Enterprise

    Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.

    Источник

    How to disable a kernel module on Linux?

    A long time ago, Linux had a lot of hardware problems. Nowadays, they have not disappeared completely but it is fair to say that practically everything is supported. Precisely that is the reason why many times the Linux kernel has incorporated many modules for hardware that we do not use. Then, with some knowledge, we will be able to disable a kernel module on Linux.

    What is a kernel Module?

    First of all, it is harassing to know what a Kernel module is. A kernel module is a fragment of the object code that is incorporated into the kernel to extend its functionality. Generally, modules are integrated into the kernel to support a new hardware or file system. It is even possible to find modules that add other capabilities to the kernel such as improvements in the data processing.

    Therefore, for each piece or component of hardware that we own, it is necessary that there is a module in the kernel that recognizes it. The problem, sometimes, is that the Linux kernel has loaded modules that we will probably never use. So, in some cases, it’s a good idea to disable them.

    Note: Be careful disabling kernel modules. A bad decision could cause problems in your system.

    It is possible to disable a kernel module permanently or temporarily. All this, according to our needs.

    Permanently disable a kernel module

    For this post, I will pose the following situation. There is a kernel module called floppy that manages a floppy disk drive. Currently, practically no equipment uses floppy disks, so loading that module is unnecessary. In addition, it slows down the system startup and consumes resource. So, let’s disable it.

    To do this, you need to create a blacklist file and add that module.

    :~$ su :~# nano /etc/modprobe.d/local-blacklist.conf

    Then, save the file and then close it.

    However, if the module is dependent on another module, it will be loaded even though it has been blacklisted. Therefore, it is necessary to add one more parameter.

    If the kernel module is part of initramfs (boot configuration), the initramfs must be regenerated.

    After that, reboot the system.

    On the other hand, before performing this process verify that the module is not in /etc/modprobe.conf, /etc/modprobe.d/, /etc/rc.modules or /etc/sysconfig/modules/.

    Disable a kernel module temporarily

    Now. It is possible to disable a kernel module temporarily. Useful in certain cases to test a specific function. To do this, simply run the following command:

    And that’s it. That way you can disable it. If you want to reverse this, you can enable it again.

    Finally, if you want to list all enabled modules

    Conclusion

    Disabling even a kernel module is a delicate thing but it can help us to have more control over our Linux distribution. In addition to this, it is time to improve system performance.

    Please share this post with your friends.

    Источник

    Disable a Kernel Module on Oracle Linux

    In this lab you unload a kernel module on an Oracle Linux instance and configure the system to prevent the module from loading at boot time. You can use this knowledge to disable kernel modules for hardware that might be causing a problem on a system or that may be flagged for a vulnerability.

    Objectives

    This lab shows how to disable the btrfs Linux kernel module on Oracle Linux and to prevent it from loading at boot time. The btrfs module is used for demonstration purposes but you could use the same procedure to disable any other Linux kernel module on a system. The main steps are outlined below:

    • Disable the module using modprobe
    • Add the module to the kernel module deny list
    • Create a backup of the existing initramfs
    • Rebuild the initramfs by using dracut to exclude the module

    Note: Disabling modules can have unintended consequences and can prevent a system from booting properly or from being fully functional after boot. In this tutorial we demonstrate creating a backup ramdisk image as best practice to make sure that you are able to recover in the event that a change prevents boot.

    What Do You Need?

    Setup the Lab Environment

    Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

    Disable the btrfs Module

    1. Check that the btrfs module is loaded on the system by running the lsmod command.

    Источник

Оцените статью
© 2023 Posetke
Adblock
detector