How to Disable Unused Kernel Drivers for Security on FreeBSD Operating System

Learn how to identify and disable unused kernel drivers on FreeBSD to enhance system security.

by İbrahim Korucuoğlu ( @siberoloji) | Thursday, March 20, 2025

Introduction

Security is a critical aspect of maintaining any operating system, and FreeBSD provides various tools and configurations to harden the system. One of the key ways to enhance security is by disabling unused kernel drivers. Kernel drivers, also known as kernel modules, are pieces of code that extend the functionality of the FreeBSD kernel. However, leaving unnecessary drivers enabled can increase the attack surface, making the system vulnerable to exploits and unauthorized access.

This article provides a step-by-step guide on how to identify and disable unused kernel drivers on FreeBSD to enhance system security.

Understanding Kernel Drivers in FreeBSD

FreeBSD includes a modular kernel that allows for dynamic loading and unloading of drivers as needed. Kernel drivers can be compiled directly into the kernel or loaded as modules at runtime.

There are two types of kernel drivers in FreeBSD:

Static kernel drivers – These are compiled into the kernel and cannot be unloaded dynamically.
Loadable kernel modules (LKMs) – These can be dynamically loaded and unloaded as needed.

Disabling unused drivers reduces the risk of security vulnerabilities by eliminating unneeded code that could be exploited.

Step 1: Identify Loaded Kernel Modules

Before disabling kernel drivers, you need to determine which ones are currently loaded. Use the following command:

kldstat

This command lists all currently loaded kernel modules. The output will look similar to this:

Id Refs Address    Size     Name
 1    7 0xffffffff80200000 2a19b80 kernel
 2    1 0xffffffff82a1b000 39f8    geom_label.ko
 3    1 0xffffffff82a1f000 2930    if_bridge.ko
 4    1 0xffffffff82a22000 3b38    bridgestp.ko

From this list, identify modules that are not needed for your system.

Step 2: Determine the Purpose of Each Module

Each module serves a different purpose, and it is essential to ensure that you are not disabling critical functionality. To get more information about a specific module, use:

man 4 <module_name>

kldstat -v | grep <module_name>

For example, to check information about the if_bridge.ko module:

man 4 if_bridge

This will provide a description of the module’s function.

Step 3: Unload Unused Kernel Modules Temporarily

To test whether a module is truly unnecessary, you can unload it temporarily using:

kldunload <module_name>

For example, to unload the if_bridge.ko module:

kldunload if_bridge

If the system remains stable and no essential services break, you can consider permanently disabling the module.

Step 4: Prevent Unused Modules from Loading at Boot

Kernel modules in FreeBSD are usually loaded at boot time through the /boot/loader.conf file. To prevent a module from being loaded automatically, edit this file:

sudo vi /boot/loader.conf

Find the entry related to the module and comment it out or remove it. For example, if you have:

if_bridge_load="YES"

Change it to:

# if_bridge_load="YES"

Save the file and exit. This ensures the module does not load on the next reboot.

Step 5: Disable Modules via rc.conf

Some modules are loaded via /etc/rc.conf. To prevent them from being loaded, check your configuration:

grep kld_list /etc/rc.conf

If you see a module listed, you can remove it by editing the file:

sudo vi /etc/rc.conf

Look for a line like:

kld_list="if_bridge geom_label"

Remove the module name that you do not need:

kld_list="geom_label"

Save and close the file.

Step 6: Rebuild the Kernel Without Unneeded Drivers (Advanced)

For those who want an extra level of control and efficiency, recompiling the kernel without unnecessary drivers is an option. This method is more complex and should be approached with caution.

6.1 Edit Kernel Configuration File

Navigate to the kernel configuration directory:

cd /usr/src/sys/amd64/conf  # Adjust for your architecture

Copy the default kernel configuration to a new custom configuration:

sudo cp GENERIC MYKERNEL

Edit the file:

sudo vi MYKERNEL

Find and remove or comment out lines related to drivers you do not need. For example, to disable support for the if_bridge module, find the corresponding line:

device  if_bridge

and comment it out:

#device  if_bridge

6.2 Build and Install the Custom Kernel

Compile the new kernel:

cd /usr/src
sudo make buildkernel KERNCONF=MYKERNEL

Once the compilation is complete, install the new kernel:

sudo make installkernel KERNCONF=MYKERNEL

Reboot the system:

sudo reboot

After rebooting, verify that the unwanted drivers are no longer loaded:

kldstat

Step 7: Monitor and Maintain Kernel Security

After disabling unused drivers, regularly audit your system to ensure that no unnecessary modules have been re-enabled. You can use:

kldstat

to check loaded modules and verify your configurations.

Additionally, keeping your FreeBSD system up to date with security patches helps mitigate potential vulnerabilities associated with kernel modules:

sudo freebsd-update fetch install

Conclusion

Disabling unused kernel drivers in FreeBSD is a crucial step in improving system security by reducing the attack surface. By identifying unnecessary modules, unloading them, and preventing them from loading at boot, you can significantly enhance your system’s security posture. For advanced users, recompiling the kernel without unneeded drivers provides an even greater level of security and performance optimization. Regular system audits and updates ensure that your FreeBSD system remains secure and efficient over time.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< Compile a Kernel with Debugging Symbols on FreeBSD Monitor Kernel Events with KTR on FreeBSD >