Merge pull request #148 from monsieuremre/module-loading-hardening

Harden the loading of new modules to the kernel after install
2024-12-26 06:19:24 -05:00 · 2023-11-05 17:41:56 -05:00 · 2023-11-05 17:41:56 -05:00 · 36f3c30440
commit 36f3c30440
parent 4fda9d2e84 2e64d89b04
2 changed files with 19 additions and 0 deletions
--- a/lib/systemd/system/harden-module-loading.service
+++ b/lib/systemd/system/harden-module-loading.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Disable the loading of modules to the kernel after startup. This could be malicious.
+After=systemd-modules-load.service
+Before=sysinit.target
+# This functionality is implemented with this and not directly in the sysctl config is
+# to allow systemd-modules-load.service to load the modules with no problem but
+# to disallow anyone else do the same after the system boots up.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading
+
+[Install]
+WantedBy=sysinit.target
--- a/usr/libexec/security-misc/disable-kernel-module-loading
+++ b/usr/libexec/security-misc/disable-kernel-module-loading
@ -0,0 +1,5 @@
+#!/bin/bash
+
+sysctl -w kernel.modules_disabled=1
+
+echo "The loading of new modules to the kernel has been disabled by security-misc"