Date: Mon, 05 Mar 2001 12:55:46 -0500 From: Bill Moran <wmoran@iowna.com> To: Charles Burns <burnscharlesn@hotmail.com> Cc: questions@FreeBSD.ORG Subject: Re: Disabling kernel modules Message-ID: <3AA3D322.35F92B08@iowna.com> References: <F3EkGhAj5p1Fjxe0ymQ00005c28@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles Burns wrote: > Several documents that I have read which were related to securing FreeBSD > recommended disabling loadable kernel modules. I haven't done this because I > do not know how FreeBSD works with modules. > I come from the Linux world where, unlike in FreeBSD, modules are used very > extensively. > Would someone be so kind as to tell me what problems may occur by disabling > kernel modules? > I currently do not manually start any modules, but I have noticed that > modules are compiled when I rebuild the system. Are these modules loaded > automatically? If so, will disabling loadable module support disable the > services that hese modules provide, or will they be automatically compiled > into the kernel, or are those modules unimportant, or...? > Thanks for help ahead of time. > I would like to have a unnecessarily secure server (if such a thing is > possible), but don't want to kill the server while securing it. You'll probably break things here and there as you secure it (in my experience) Just take it one step at a time, keep track of what you do, test, and be ready to reverse any changes if something stops working. Generally, a number of things in FreeBSD can be either modules (KLD) or compiled into the kernel. If you disable many features (such as FAT filesystem support) in a kernel, it can still be loaded as a module if needed. Use kldstat(8) to see which modules are loaded at any time. See the man pages for kldstat(8) as well as kldload(8) and kldunload(8) Raising the securelevel of the system prevents loading new klds after the system has started. I believe that klds specified to load during boot will still be started, but you can't change the loaded klds afterwards. The man pages are a good read, man kld(4) is also helpful. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AA3D322.35F92B08>