For development / debugging it is useful to use sort to format the output of lsmod to make it easier readable and comparable. I.e.:
sudo lsmod | sort
And write to a file.
sudo lsmod | sort > lsmod_before
Then disable module loading. And load some modules through /usr/lib/modules-load.d folder or so. Then look at lsmod again.
sudo lsmod | sort > lsmod_after
Then compare.
meld lsmod_before lsmod_after
Use of kernel.modules_disabled=1 is now possible and initially documented:
Operating System Hardening - Kicksecure
However, I don’t think the current approach using /usr/lib/modules-load.d folder is a good implementation. Therefore not committed to git yet. Just a proof of concept. It would be better to load those systemd units that require kernel modules early enough before systemd-sysctl.service. Therefore we could avoid being the first distribution writing to /usr/lib/modules-load.d folder.
The problem with /usr/lib/modules-load.d is:
- non-standard
- not yet discussed with any upstream
- manually maintained module lists might get outdated after kernel upgrades, things might break
We’re not the first ever to have this issue. Bug was reported here https://bugzilla.redhat.com/show_bug.cgi?id=1198949 and then dismissed. That doesn’t discourage us discussing this elsewhere.
lsmod columns here:
Module Size Used by
Modules have “dependency trees”. Therefore I skiped adding those modules to /usr/lib/modules-load.d which are not Used by other modules. The idea was to only add the “top level” modules and let dependencies resolve itself in case in later kernel versions dependencies change (less modules perhaps) no update of the file would be required.
Working on this seems worthwhile. Thereby we can review what kernel modules are load, learn new things, perhaps reduce attack surface. For example:
A graphical session (perhaps X, XFCE and/or lightdm) automatically loads module binfmt_misc. Seems to be this:
Dunno yet if it is a good idea to have this in the kernel. It’s possible to avoid loading this module too but don’t know yet if it breaks anything.