We can restrict kernel modules to only be loaded if they’re signed by a valid key. This increases security by making it harder to load a malicious module. We can do this by adding module.sig_enforce=1
as a kernel parameter.
https://www.kernel.org/doc/html/v4.19/admin-guide/module-signing.html
We can also prevent kernel modules from being loaded or unloaded after boot by setting kernel.modules_disabled=1
with sysctl. I don’t really see a point in this though as module loading requires root and if an attacker has root already, there’s no point in attempting to load a module. Even if the attacker did need to load a module, they could just set kernel.modules_disabled=0
with sysctl as they have root anyway. For some reason, the lockdown patch sets this but I don’t see any real security advantage and only potential breakages.