lynis icon indicating copy to clipboard operation
lynis copied to clipboard

Published 20 hours ago verified publisher icon CISOfy

kernel.modules_disabled breaks iptables

Open d4t4king opened this issue 2 years ago • 3 comments

Describe the bug This tool recommends setting the sysctl value "kernel.modules_disabled" to 1. This may cause an issue when loading modules such as iptables, etc.

Version

  • Distribution [e.g. Ubuntu 18.04] Ubuntu 20.04.3 LTS (aws)

  • Lynis version [e.g. 2.7.0] 3.0.7

Expected behavior Setting this value should disable loading of undesired kernel modules.

Output If applicable, add output that you get from the tool or the related section of lynis.log

  • There should be a warning or something that setting this value can have adverse effects.

Additional context I'm not blaming lynis for recommending this setting. I just think there should be a warning associated that setting the configuration item could have adverse effects.

d4t4king avatar Nov 17 '21 08:11 d4t4king

kernel.modules_disabled=1 can also cause login problems:

Cannot open access to console, the root account is locked.
See sulogin(8) man page for more details.

Press Enter to continue.

knlnlo avatar Nov 24 '21 02:11 knlnlo

Yes, but it's working as intended. Test before enabling.

For example:

https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/: "Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases."

https://github.com/systemd/systemd/issues/13540: "This would break various applications that require kernel auto module loading. For example kloak would no longer start. (Upstream bug report: vmonaco/kloak#16) Other applications break too such as for example VirtualBox guest additions and either X or XFCE."

konstruktoid avatar Nov 24 '21 09:11 konstruktoid

Yes, but it's working as intended. Test before enabling.

For example:

https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/: "Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases."

systemd/systemd#13540: "This would break various applications that require kernel auto module loading. For example kloak would no longer start. (Upstream bug report: vmonaco/kloak#16) Other applications break too such as for example VirtualBox guest additions and either X or XFCE."

This documentation (or an abbreviated version) should be in the output of the tool. The would be PERFECT to have in the online documentation, which IMHO is sorely neglected for this tool, in general.

d4t4king avatar Nov 25 '21 05:11 d4t4king