Description of problem: To block rootkits, you can use the sysctl parameter: kernel.modules_disabled (set to 1) to disable, 0 does nothing Version-Release number of selected component (if applicable): All versions How reproducible: 100% Steps to Reproduce: 1) Using a QEMU/KVM VM, use virtio for network (or any network driver that has a kernel module). This may also likely break on non-virtualized systems. 1. Create a /etc/sysctl.d/harden.conf file, add kernel.modules_disabled=1 2. Save changes, reboot VM/system 3. When system comes up, no network available because no kernel module was loaded in time prior to the restriction being set. Actual results: Fails to start Expected results: Should have modules loaded prior to sysctl values being set. Additional info: I have not tested this yet with NetworkManager but will be doing also to confirm this happens as well.
The sysctl parameter lets you prevent further *new* kernel modules from being loaded after this value is set to 1, prior to this modules will be loaded.
Workaround: use rc.local and set this with sysctl command.
In a Linux system, modules can generally be loaded at any time. If you plug in new hardware, try to make a connection using some protocol family, use a different encryption algorithm, etc. Disabling module loading, while useful, is a very specialized setup. If you want to do it, you probably need to set the value after the system is fully booted. This should work, but you're on your own, and the bug tracker is not the right place for this.