Avoid Loadable Kernel Module Feature

With modern Linux kernels, you can enhance the running system with additional functionality by loading kernel modules. This feature is quite handy because it allows you to enhance or reduce features provided by the kernel on demand without rebooting the system. This makes a lot of sense on workstations where the same hardware or features aren't always used or attached to the computer.

Every process with enough privileges may load modules into the kernel. With the standard Linux security model, root privileges are needed. By loading kernel modules, an attacker can modify the way the kernel works. Often, this will be done using rootkits to make sure they are hidden. This makes detecting them quite difficult.

Many of today's Linux distributions ship their default kernel with loadable kernel modules on. This allows the system to work with various hardware configurations. Switching off the loadable module functionality in the kernel will prevent an attacker from loading modules into the kernel, increasing the barrier that needs to be bypassed in order to modify the kernel's functionality. Therefore, consider installing a customized kernel without loadable module support.

If recompiling the kernel isn't possible, you might check out the capabilities feature, which has been present since Linux 2.2.11. If the CAP_SYS_MODULE capability is turned off, the kernel won't allow any modules to be loaded. lcap is a handy tool to remove Linux kernel capabilities.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment