Protect a Kernel Module

You can protect the loading and unloading of kernel modules, and so help protect the operating system.
capamsc141
You can protect the loading and unloading of kernel modules, and so help protect the operating system.
To protect a kernel module:
Ensure that you have enabled kernel module protection. Create a KMODULE record in
PAM Server Control
.
    1. To create a kernel module, define:
      • The name of the kernel module
        On all non-Linux systems, the name of the KMODULE record must match the name of the kernel module file (not the full path). This is because the name of the module is the same as the name of the file. On Linux, the name of KMODULE record needs to match only the name of the kernel module, which, might be different from the actual file name.
      • The owner of the record (defaults to the user creating the module)
      • (Optional) The absolute file path to the kernel module file, or a list of file paths if there is more than one version of the module.
On HP and Solaris systems, you can define the special kernel module _ALL_MODULES to protect the unloading of all kernel modules.
  1. Define the users or groups that are authorized to load and unload the module.
Example: Protect a Kernel Module Using selang Commands
The following selang commands define and authorize a kernel module serial.o to 
PAM Server Control
, and authorizes the enterprise user kadmin to load and unload it:
newres kmodule serial.o owner(kadmin) defaccess(none) \ filepath(/lib/modules/2.2.19/serial.o:/lib/modules/2.2.20/serial.o) authorize kmodule serial.o access(load, unload) xuid(kadmin)