Removing specific kernel modules from a Linux system for security reasons

Troubleshooting

Problem

A security audit has discovered Linux security risk CVE-2009-2692. Red Hat recommended that users edit the /etc/modprobe.conf file by adding the following lines to the file and then saving it. install pppox /bin/true install bluetooth /bin/true install sctp /bin/true You have made the recommended changes to the /etc/modprobe.conf file,but the modules are still loaded.

Resolving The Problem

Red Hat recommends that you insert the install <module> /bin/true lines so that if anyone tries to invoke one of the three modules, the /bin/true script will be invoked instead. The true script is just a dummy script; it has no functionality.

However this tactic will not work if the pppox, bluetooth, or sctp modules are loaded. You must remove the modules from the kernel. One approach requires a system reboot while the other does not.

Removing Three Modules with a Required System Reboot
The following approach is suggested by the RedHat Knowledgebase.(http://kbase.redhat.com/faq/docs/DOC-18065)

"The mitigation steps outlined above will not work if the modules are already loaded. If the modules are loaded and cannot be removed, for example, via "modprobe -r", a reboot will be required before the changes take effect."

For example, you would run the following command to remove bluetooth:
modprobe -r bluetooth

Then run the similar command for the other two modules and then reboot the system.

Removing Three Modules without a System Reboot
The following approach requires more steps but avoids the need for a reboot. You will use the rmmod command to remove each of the three modules:

1. Remove bluetooth.
rmmod bluetooth

2. If that doesn't work then some other modules must be using the bluetooth module. Run the following command to list the modules that are referencing the bluetooth module.
lsmod | grep -i bluetooth

The output may be similar to the following:
bluetooth 118597 4 bnep,hidp,rfcomm,l2cap

The first column is the module name, the second column is the size of the module and the third column is the "Used by" column. In the above example; four other modules are using bluetooth, you will have to remove the referencing modules.

3. Remove the modules referencing the module that you are removing. For example, you might run the following:

rmmod bnep
rmmod hidp
rmmod rfcomm
rmmod l2cap

4. If successful, then try to remove the bluetooth module.
rmmod bluetooth

5. Run the following command to confirm that bluetooth was removed.
lsmod | grep bluetooth

6. Remove pppox.
rmmod pppox

Repeat Steps 2-5 if other modules refer to the one that you are disabling.

7. Remove sctp.
rmmod sctp

Repeat Steps 2-5 if other modules refer to the one that you are disabling.

[{"Product":{"code":"SSULQD","label":"IBM PureData System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.0.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

NZ758691

Was this topic helpful?

Document Information

Modified date:
17 October 2019

UID

swg21572692

Tips