mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-26 19:19:22 -05:00
Merge pull request #148 from monsieuremre/module-loading-hardening
Harden the loading of new modules to the kernel after install
This commit is contained in:
commit
36f3c30440
14
lib/systemd/system/harden-module-loading.service
Normal file
14
lib/systemd/system/harden-module-loading.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Disable the loading of modules to the kernel after startup. This could be malicious.
|
||||||
|
After=systemd-modules-load.service
|
||||||
|
Before=sysinit.target
|
||||||
|
# This functionality is implemented with this and not directly in the sysctl config is
|
||||||
|
# to allow systemd-modules-load.service to load the modules with no problem but
|
||||||
|
# to disallow anyone else do the same after the system boots up.
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sysinit.target
|
5
usr/libexec/security-misc/disable-kernel-module-loading
Normal file
5
usr/libexec/security-misc/disable-kernel-module-loading
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sysctl -w kernel.modules_disabled=1
|
||||||
|
|
||||||
|
echo "The loading of new modules to the kernel has been disabled by security-misc"
|
Loading…
Reference in New Issue
Block a user