Blacklisting modules

Blacklisting modules is one way to disallow them. This defines which modules should no longer be loaded. However, it will only limit the loading of modules during the boot process. You can still load a module manually after booting.

Blacklisting a module is simple. Create a file in the /etc/modprobe.d directory and give it a proper name (e.g. blacklist-module.conf).

Blacklisting firewire

Let’s say we want to blacklist firewire. We first have to determine what modules are available. By using find, we can quickly determine the related kernel drivers:

# find /lib/modules/`uname -r` -name *firewire*
/lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire
/lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-ohci.ko.gz
/lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-core.ko.gz
/lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-sbp2.ko.gz
/lib/modules/4.0.1-1-ARCH/kernel/drivers/firewire/firewire-net.ko.gz
/lib/modules/4.0.1-1-ARCH/kernel/drivers/media/firewire
/lib/modules/4.0.1-1-ARCH/kernel/drivers/staging/fwserial/firewire-serial.ko.gz
/lib/modules/4.0.1-1-ARCH/kernel/sound/firewire
/lib/modules/4.0.1-1-ARCH/kernel/sound/firewire/snd-firewire-lib.ko.gz

Now we know there are multiple modules, most part of the drivers and one in the sound section. If we want to disable all these modules, we could simply blacklist them all. Or block the generic category.

Gathering module information

By using modinfo, we can gather the details about a particular module. In this case, we have a look at the snd-firewire-lib module and see what it does:

We can see it depends on firewire-core. Let’s have a look at the firewire-core module itself:

The details of the firewire-core module show that is responsible for firewire itself. It is the core unit itself and doing the transaction logic within the IEEE1394 protocol specifications. We can see it is depending on the CRC-ITU-T standard.

By blacklisting the firewire-core, we effectively disable any module depending on it. In this case, we don’t blacklist the crc-itu-t module, to prevent other modules from properly functioning.

The related snippet to blacklist would be:

/etc/modprobe.d/blacklist-firewire.conf

blacklist firewire-core

See blacklisted modules

To see what modules are currently blacklisted, we can use the modprobe command:

# modprobe --showconfig | grep blacklist
blacklist firewire_core

This will show all modules which are blacklisted.

Disable modules

The next level of blacklisting modules is to actually disable them. This way they won’t be loaded unintentionally.

To disable a module, we have to redirect a module via the install option. Modprobe will try to load the related file. By defining a module as /bin/true, it won’t be loaded.

To see what modules are currently disabled via install, we can use modprobe as well:

# modprobe --showconfig | grep "^install" | grep "/bin"
install firewire_core /bin/true
install firewire_ohci /bin/true

Note: the root user can still override settings, by using the --ignore-install parameter. In that case, the module can still be loaded.

Conclusion

By using the right combination of blacklist, install and alias, we can disallow the loading of Linux kernel modules. They form the first level of defense against unintentional and unauthorized module loading. By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure things are really tightened. Even the root user can not load any modules anymore.

Useful commands

When working with kernel modules, here are some of the most common commands:

• Blacklisted and disabled modules
  • modprobe -showconfig | egrep “^(blacklist|install)”
• Find modules
  • find /lib/modules/`uname -r` -print
• Show loaded modules
  • lsmod
• Load module
  • modprobe module
• Unload module
  • modprobe -r module
• Module details
  • modinfo module

Questions or other tips? Let it know!

This is a hardening profile to help securing nginx by using systemd unit configuration. It’s goal is to restrict what nginx can do and make it harder for any possible vulnerability to be misused.

The rationale for the selected settings is based on the analysis as part of the article Hardening nginx with systemd security features.

Relevant FAQ: How to use systemctl edit to change a service?

Notes and fine-tuning

As nginx can be tailored to multiple needs, most likely some fine-tuning is needed. Depending on external components such as PHP, temporary files may need to be made accessible. When possible, define an alternative directory and keep PrivateTmp enabled.

If you are using an older hardening profile, please upgrade at least to 0.5 or higher.

Debian

Debian systems may need an extension to ExecPaths and allow also /sbin/start-stop-daemon

Transparent proxy

When using proxy functionality (proxy_bind $remote_addr transparent), adjustments may need to be made to allow this. Otherwise nginx can’t fork the worker processes.

SecureBits=no-setuid-fixup-locked noroot-locked
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_SETGID CAP_SETUID CAP_NET_RAW

Rationale: nginx uses prctl(PR_SET_KEEPCAPS, 1) before setuid(). If keep-caps-locked is set in SecureBits, an EPERM issue will occur with a fatal exit 2 code for the worker processes.

Got a more tight version that works? Let it know.

Changes

• Adjust SecureBits (0.5)
• Add PrivateTmp=yes
• Changed LockPersonality from ’true’ to ‘yes’
• Additional comments
• Add capability: CAP_SETPCAP due to usage of SecureBits
• Add SecureBits
• Allow real-time scheduling

Special thanks

To Jean-Baptiste for reporting an issue with SecureBits that may allow access to files while normally not permitted with file permissions.

Showing basic details of the journals

The size of the journals can displayed with --disk-usage, which may be useful when the file system is getting full.

# journalctl --disk-usage
Archived and active journals take up 160.0M in the file system.

To verify the integrity of the journals, use the --verify option.

# journalctl --verify
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000000001-00060ed90326924f.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000036b8-000611a51acdc7d0.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-00000000000004e2-00060ed9041f690a.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000014c26-000613a20f360102.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/user-1000@aeb5e2f412954ecfaa870c245338cb93-0000000000014e03-000613d7a3bb17e3.journal
PASS: /var/log/journal/d8bd6473290d43a9942eaba0a506a454/system@ca889eb2eae24e41b37a50d33bad131c-0000000000003334-0006113d51794916.journal

Querying the journals

There are many ways to query the journals. One of them is simply running journalctl and start scrolling. But there are better ways!

Query by time or period

Show messages of today with the --since= option and define the period.

journalctl --since="today"

To shorten the period, we can tell it to show only very recent entries of fifteen minutes ago or newer.

journalctl --since="15 minutes ago"

We can also provide a range, with the combination of since and until.

journalctl --since="2024-02-01" --until="2024-04-01"

For troubleshooting it may help to increase the period, but include a unit name to strip out much of the unneeded entries.

journalctl --unit ssh.service --since="1 week ago"

Query by priority or facility

Journalctl allows to query by priority. Here are the available levels:

Use the short notation, but now include the unit name in the output, and limit messages to a priority (including the ones with lower number, meaning a higher priority).

journalctl -S "today" --output=with-unit --priority=err

Only show some levels (notice, debug, and info)

journalctl -p 5..7

When querying by facility, which are common with syslog, define the right value. To know the available facilities, use the ‘help’.

# journalctl --facility=help
Available facilities:
kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
authpriv
ftp
12
13
14
15
local0
local1
local2
local3
local4
local5
local6
local7

Query by string

Similar to the grep tool, there are a few options available to search in the journals. It shares the same name, but is an option instead.

journalctl --grep "[bB]lock"

Regular expressions are allowed, so be aware of case-sensitive filtering.

Want to search and not worry about lowercase and uppercase?

journalctl --case-sensitive=false --grep "block"

Query only by priority ERROR

Show only the entries flagged with priority ERROR.

journalctl -p err

Or since last boot:

journalctl -b -p err

Limit output and follow

Journalctl allows to limit the output to a specific number of lines. To show the last 10 lines, which is equal to --lines=10, we can use -n.

journalctl -n

We can also combine it with a unit, and show only 5 lines.

journalctl -u ssh.service -n 5

Keep track of new additions, we can use the --follow option, similar to tail -f.

journalctl --follow

Cleaning up the journals

When the journal gets too big, decrease its size by performing a vacuum action.

journalctl --vacuum-size=256M

It is also possible to set a time period instead, like 4 weeks.

journalctl --vacuum-time=4w

Another possibility is defining the number of logs.

journalctl --vacuum-files=5

Other useful options?

Did I miss something that really should be included in this cheat sheet? Let it know!