Kernel module control
Blacklist what you never load.
The Linux kernel loads modules — drivers and features — on demand, and by default it can autoload a wide range of them when a matching device or protocol appears. That flexibility is attack surface: obscure filesystem and network-protocol modules have contained vulnerabilities, and an attacker who can trigger the load of a buggy module can exploit it. Hardening means blacklisting the modules you will never legitimately need so the kernel refuses to load them.
# uncommon filesystems no server needs — refuse to load theminstall cramfs /bin/trueinstall freevxfs /bin/trueinstall jffs2 /bin/trueinstall udf /bin/true# obscure network protocols with a history of CVEsinstall dccp /bin/trueinstall sctp /bin/trueinstall rds /bin/trueinstall tipc /bin/true
How the blacklist works
The install <module> /bin/true trick tells modprobe that "loading" the module means running /bin/true (which does nothing and succeeds), so the real module never loads even if something requests it. This is more robust than the older blacklist keyword, which only prevents autoloading by alias but still allows explicit modprobe. The CIS benchmarks list exactly which filesystem and protocol modules to disable; the list above is the common core.
Lock module loading down further
On the highest-assurance systems you can go beyond blacklisting to disabling module loading entirely after boot: kernel.modules_disabled = 1 makes the running kernel refuse to load any new module until reboot, so an attacker with root still cannot insert a malicious kernel module (a rootkit). It is a strong control — nothing loads afterward, including things you might legitimately want — so it suits appliances and locked-down hosts more than general servers, but it closes the kernel-module rootkit path completely.
$ lsmod # what is currently loaded$ modprobe -n -v dccp # dry-run: would it load? (shows /bin/true if blacklisted)# the nuclear option (no more module loading until reboot):$ echo 'kernel.modules_disabled = 1' | sudo tee /etc/sysctl.d/99-lockdown.conf