base: disable kernel module loading after boot

3c457b41 · godog · a6fe4189 · 3c457b41 · 3c457b41 · 3c457b41
Commit 3c457b41 authored 4 years ago by godog
--- a/roles/float-base/defaults/main.yml
+++ b/roles/float-base/defaults/main.yml
@@ -41,3 +41,7 @@ motd: |2
              **      ┣╸ ┃  ┃ ┃┣━┫ ┃ 
                      ╹  ┗━╸┗━┛╹ ╹ ╹     {{ inventory_hostname }}

+
+# Enable kernel lockdown measures (e.g. disable module loading post-boot)
+# Once enabled this feature can be disabled only with a reboot.
+kernel_lockdown_enabled: false
--- a/roles/float-base/files/disable-kmod-load.service
+++ b/roles/float-base/files/disable-kmod-load.service
+[Unit]
+Description=Disable kernel module loading
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "echo 1 > /proc/sys/kernel/modules_disabled"
+
+[Install]
+WantedBy=float-lockdown.target
--- a/roles/float-base/files/float-lockdown.target
+++ b/roles/float-base/files/float-lockdown.target
+[Unit]
+Description=float has been locked down
+Requires=multi-user.target
+After=multi-user.target
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/float-base/tasks/harden.yml
+++ b/roles/float-base/tasks/harden.yml
@@ -81,3 +81,20 @@
    state: stopped
    enabled: no
    masked: yes
+
+- name: Install lockdown systemd units
+  copy:
+    src: "{{ item }}"
+    dest: "/lib/systemd/system/{{ item }}"
+  loop:
+    - 'float-lockdown.target'
+    - 'disable-kmod-load.service'
+
+- name: Enable lockdown systemd units
+  systemd:
+    name: "{{ item }}"
+    enabled: "{{ kernel_lockdown_enabled }}"
+    daemon_reload: yes
+  loop:
+    - 'float-lockdown.target'
+    - 'disable-kmod-load.service'