Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel.modules_disabled breaks iptables #1233

Open
d4t4king opened this issue Nov 17, 2021 · 3 comments
Open

kernel.modules_disabled breaks iptables #1233

d4t4king opened this issue Nov 17, 2021 · 3 comments

Comments

@d4t4king
Copy link
Contributor

Describe the bug
This tool recommends setting the sysctl value "kernel.modules_disabled" to 1. This may cause an issue when loading modules such as iptables, etc.

Version

  • Distribution [e.g. Ubuntu 18.04]
    Ubuntu 20.04.3 LTS (aws)

  • Lynis version [e.g. 2.7.0]
    3.0.7

Expected behavior
Setting this value should disable loading of undesired kernel modules.

Output
If applicable, add output that you get from the tool or the related section of lynis.log

  • There should be a warning or something that setting this value can have adverse effects.

Additional context
I'm not blaming lynis for recommending this setting. I just think there should be a warning associated that setting the configuration item could have adverse effects.
@knlnlo
Copy link

knlnlo commented Nov 24, 2021

kernel.modules_disabled=1 can also cause login problems:

Cannot open access to console, the root account is locked.
See sulogin(8) man page for more details.

Press Enter to continue.

@konstruktoid
Copy link
Contributor

Yes, but it's working as intended. Test before enabling.

For example:

https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/:
"Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases."

systemd/systemd#13540:
"This would break various applications that require kernel auto module loading. For example kloak would no longer start. (Upstream bug report: vmonaco/kloak#16) Other applications break too such as for example VirtualBox guest additions and either X or XFCE."

@d4t4king
Copy link
Contributor Author

Yes, but it's working as intended. Test before enabling.

For example:

https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/: "Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases."

systemd/systemd#13540: "This would break various applications that require kernel auto module loading. For example kloak would no longer start. (Upstream bug report: vmonaco/kloak#16) Other applications break too such as for example VirtualBox guest additions and either X or XFCE."

This documentation (or an abbreviated version) should be in the output of the tool. The would be PERFECT to have in the online documentation, which IMHO is sorely neglected for this tool, in general.

@konstruktoid konstruktoid mentioned this issue Jan 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@d4t4king @konstruktoid @knlnlo