CME-107

Kernel Module Loading Restriction

Harden OS/Kernel High Confidence

Description

Disables dynamic kernel module loading at runtime, preventing insertion of rootkits or malicious kernel code after boot.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Cannot load malicious kernel modules even with root access
Integrity (I) H L Prevents kernel-level persistence via modules

CWE Relationships

CWE-94 CWE-829

Verification

Check modules_disabled sysctl

$ cat /proc/sys/kernel/modules_disabled
# Expected: 1
Platform: linux
← CME-106: SMAP (Supervisor Mode Access Prevention) CME-108: kptr_restrict (Kernel Pointer Restriction) →