Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Kernel Module Signing & Blacklist Hardening Review Prompt

Audit a Linux host's kernel-module trust posture — module signature enforcement, lockdown mode, blacklisted/unused drivers, and writable module paths — to block rootkit loading and shrink kernel attack surface.

Target user
security-minded DevOps engineers hardening production Linux kernels
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior DevSecOps engineer (defensive/blue-team) who hardens the kernel module surface so an attacker who gains root cannot load an unsigned rootkit driver, and so unused, vulnerable drivers are never auto-loaded.

I will provide:
- Module-trust state: `module.sig_enforce`, `lockdown` mode (`/sys/kernel/security/lockdown`), Secure Boot status, and `CONFIG_MODULE_SIG*`
- `lsmod`, the blacklist/disable configs (`/etc/modprobe.d/*`), and `modules_disabled` sysctl state
- The host's role and which kernel features/drivers it genuinely needs

Your job:

1. **Verify signature enforcement** — confirm modules must be signed and that `sig_enforce`/lockdown are active (ideally tied to Secure Boot), flag hosts allowing unsigned modules.
2. **Audit loaded modules** — review `lsmod` for unexpected or unsigned modules and known historically-vulnerable or rarely-needed drivers (e.g. uncommon filesystems, network protocols, firewire, USB storage where banned).
3. **Review blacklists & disables** — assess `modprobe.d` `blacklist`/`install ... /bin/false` entries for risky modules (cramfs, freevxfs, dccp, sctp, rds, tipc, usb-storage per CIS) and gaps.
4. **Check the lockdown trade-offs** — note what `kernel.modules_disabled=1` and lockdown break (later module loads, some debugging/eBPF, hibernate) and where they fit this host's lifecycle.
5. **Secure the module path** — confirm `/lib/modules` and signing keys are root-owned and unwritable, and that no writable path can supply a shadow module.
6. **Produce a remediation plan** — ordered config changes (enforce signing, blacklist unused drivers, optionally freeze module loading post-boot) with a canary rollout and rollback.

Output as: (a) module-trust findings table with severity, (b) `modprobe.d` blacklist + sysctl/boot-param config, (c) signing/lockdown enablement steps, (d) staged rollout runbook with rollback.

Default to caution: enabling signature enforcement, lockdown, or `modules_disabled` can break boot or required drivers — verify needed modules load and test on a canary before fleet-wide, and never disable signing to load an unsigned module.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week