Loading...

VONDS ©

Lab 109: Persistent Module Configuration

Back to Lab Index

Persist kernel module behavior across reboots by blacklisting an unwanted module and setting module options under /etc/modprobe.d . Validate that configuration is applied and rebuild initramfs so early boot honors the policy.

kernel modules hardening

Scenario

A workstation fleet is loading an unnecessary legacy module that creates noise during troubleshooting. You will enforce a persistent blacklist for an unwanted module and define persistent options for a safe practice module, then validate the policy using standard tooling.

Operator context

Persistent module policy should be documented and reviewed. A blacklist can disable hardware functionality, and options can change system behavior in ways that are not obvious during incident response.

Objective

  • Create a persistent blacklist entry for an unwanted module using /etc/modprobe.d .
  • Verify that the blacklist is present and effective.
  • Create a persistent module option configuration for a safe module.
  • Validate that module configuration is recognized by modprobe .
  • Rebuild initramfs so early boot honors module policy.
  • Confirm expected load state using lsmod and a test load operation.

Concepts

  • How /etc/modprobe.d/*.conf changes module behavior system-wide.
  • The difference between a blacklist (prevents loading) and unloading (removes from the running kernel).
  • Option precedence and why modprobe -c is the best validation view.
  • Why initramfs rebuilds matter for modules loaded in early boot.

Walkthrough

Step 1 : Persistently blacklist pcspkr .
Command 
echo 'blacklist pcspkr' | sudo tee /etc/modprobe.d/blacklist-pcspkr.conf

Files under /etc/modprobe.d are read by the module loader. Blacklisting prevents automatic loads and commonly blocks manual loads via modprobe . 

blacklist pcspkr
Step 2 : Verify the blacklist entry exists.
Command 
grep -R '^blacklist pcspkr' /etc/modprobe.d

This confirms the policy is written to disk in the correct location and helps you spot duplicates or conflicting entries. 

/etc/modprobe.d/blacklist-pcspkr.conf:blacklist pcspkr
Step 3 : Attempt to load the blacklisted module.
Command 
sudo modprobe pcspkr

This is a quick functional check. If the module is already loaded, blacklisting does not remove it from the running kernel. 

modprobe: ERROR: Module pcspkr is blacklisted.
Step 4 : Create persistent options for loop .
Command 
echo 'options loop max_loop=16' | sudo tee /etc/modprobe.d/loop.conf

Module option files define default parameters applied when the module is loaded. This is a common tuning pattern that avoids editing bootloader configuration. 

options loop max_loop=16
Step 5 : Validate the option is recognized by the module loader.
Command 
modprobe -c | grep -E '^options\s+loop\b'

modprobe -c prints the resolved configuration after reading all relevant config files. This is the clearest way to confirm your option line is being picked up. 

options loop max_loop=16
Alternate 
modinfo -p loop

modinfo -p lists supported parameters. It does not confirm your configured value, but it confirms the parameter exists and is valid.

Step 6 : Rebuild initramfs so early boot honors module policy.
Choose one

Use the initramfs tool that matches your distribution. Do not run all of them.

Command 
# Debian or Ubuntu
sudo update-initramfs -u

# RHEL or Fedora
sudo dracut -f

# Arch
sudo mkinitcpio -P

If a module is loaded from initramfs during early boot, your policy must exist in that image. Rebuilding initramfs helps ensure consistent boot-time behavior. 

# Example output:
update-initramfs: Generating /boot/initrd.img-...
Step 7 : Confirm pcspkr is not loaded, then load loop .
Command 
lsmod | grep -E '^pcspkr(\s|$)'

Blacklisting prevents loads but does not automatically remove a module that is already loaded. This confirms current runtime state. 

# No output means pcspkr is not loaded.
Command 
sudo modprobe loop

Loading the module confirms it is available and that policy is not preventing normal module operations.

Command 
lsmod | grep -E '^loop(\s|$)'
loop                   45056  0

Common breakpoints

modprobe does not report “blacklisted”

Your distro may allow manual loading even when blacklisted, or the module may already be loaded. Validate the config with modprobe -c and confirm current state with lsmod .

The module still loads in early boot

The policy may not be present in initramfs or the module may be built in. Rebuild initramfs with the correct tool and verify the module type and load path.

Conflicting options appear in modprobe -c

Multiple config files can define options for the same module. Locate duplicates under /etc/modprobe.d and ensure your intended file name and content are correct.

Cleanup checklist

If this is a shared system or you want to reset lab state, remove the policy files you created and rebuild initramfs again with your distro’s tool.

Commands 
sudo rm -f /etc/modprobe.d/blacklist-pcspkr.conf /etc/modprobe.d/loop.conf
modprobe -c | grep -E '^(blacklist\s+pcspkr|options\s+loop\b)' || true
Note

If you remove policy and need early boot to reflect it, rebuild initramfs again using the correct distro tool.

Reference

  • /etc/modprobe.d/*.conf : Persistent module loader configuration (blacklists and default options).
    • Read by modprobe when resolving module load behavior.
  • modprobe : Loads and unloads kernel modules with dependency awareness.
    • -c : Prints the resolved configuration after reading all config files.
  • modinfo : Displays module metadata and supported parameters.
    • -p : Lists parameters the module supports.
  • lsmod : Lists currently loaded kernel modules.
    • Output includes module name, size, and “Used by” count.
  • update-initramfs : Rebuilds initramfs (Debian or Ubuntu).
    • -u : Updates the existing initramfs image for the current kernel.
  • dracut : Rebuilds initramfs (RHEL or Fedora).
    • -f : Forces regeneration of the initramfs image.
  • mkinitcpio : Rebuilds initramfs (Arch).
    • -P : Rebuilds initramfs for all presets.
  • tee : Writes stdin to a file (useful with sudo for root-owned paths).
    • -a : Appends instead of overwriting.
  • grep : Searches text using patterns.
    • -R : Recursively searches a directory.
    • -E : Uses extended regular expressions.
  • blacklist : modprobe.d directive that prevents module auto-loading.
    • Does not remove a module that is already loaded.
  • options : modprobe.d directive that sets default module parameters at load time.
    • Format: options <module> param=value.