To disallow the loading of malicious or unwanted modules, we can blacklist them. In order to prevent kernel modules loading during boot, the module name must be added into the blacklist file. Ensure the module is not configured to load either in /etc/modprobe.conf, /etc/modprobe.d/*, /etc/rc.modules, or /etc/sysconfig/modules/*. And then run the following commands:
1. Create a file in the /etc/modprobe.d directory and give it a related name (e.g. local-blacklist.conf). To prevent a module from being loaded directly you can add the following line to a configuration file specific to the system configuration for example /etc/modprobe.d/local-blacklist.conf:
# vi /etc/modprobe.d/local-blacklist.conf blacklist [module name]
For Example to blacklist the kernel module be2iscsi, add below entry in the file /etc/modprobe.d/local-blacklist.conf.
# vi /etc/modprobe.d/local-blacklist.conf blacklist be2iscsi
2. This will not prevent a module being loaded if it is a required or optional dependency of another module. Some kernel modules will attempt to load optional modules on demand.
This can be achieved by configuring the following setting in /etc/modprobe.d/local-blacklist.conf:
# vi /etc/modprobe.d/local-blacklist.conf install [module name] /bin/false
The above install line simply causes /bin/false to be run instead of installing a module. Same can be achieved by using the /bin/true.
3. Reboot the server for the changes to take effect.
# shutdown -r now
4. If the kernel module is part of the initramfs (boot configuration), the initramfs should be regenerated. Boot the affected kernel and run the following command to regenerate the affected kernel initramfs.
# dracut -f
Remove Module Temporarily
It is possible to remove any currently-loaded module by running:
# modprobe -r [module name]
If the module cannot be unloaded. A process or another module may still be using the module, terminate the process and unload the module using the module that is being removed.
Verify the Blacklisted module
To verify if the module is blacklisted run the command shown below.
# modprobe --showconfig | grep blacklist blacklist [module]