Clearly you know of lot about this. Here are some comments for the next human.
Deny all modules seems more possible than a whitelist approach. To deny all, the command is likely “sysctl kernel.modules_disabled=1”.
Whitelisting is harder. One could store a list of all loaded modules on a working system. Store a list of all kernel modules currently installed on the system. Compare the lists and remove from the “all” list the “running” list (grep will do this) and write it to the blacklist file.
The problem with the Whitelisting approach is that it needs to run after every kernel module install (which is doable).
If the above is the case, then someone must have automated this already, but I cannot find it quickly. (I checked Debian’s package repository.)
Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.
Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.
Clearly you know of lot about this. Here are some comments for the next human.
Deny all modules seems more possible than a whitelist approach. To deny all, the command is likely “sysctl kernel.modules_disabled=1”.
Whitelisting is harder. One could store a list of all loaded modules on a working system. Store a list of all kernel modules currently installed on the system. Compare the lists and remove from the “all” list the “running” list (grep will do this) and write it to the blacklist file.
The problem with the Whitelisting approach is that it needs to run after every kernel module install (which is doable).
If the above is the case, then someone must have automated this already, but I cannot find it quickly. (I checked Debian’s package repository.)
Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.
Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.