New #HardenedBSD feature: completely disable loading kernel modules without having to set securelevel: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/690b00d48077d53934ae6ddaff8e935d7017d813
And here we see #HardenedBSD #hbsdfw with kernel module loading prohibited. All kernel modules must be loaded at early boot time (as specified in loader.conf(5)).
There's a bug with Unbound in the #OPNsense codebase that I need to track down. Otherwise, I'd publish this build.
While I plan to MFC this to #HardenedBSD 13-STABLE next month, I've included this in what will be the next build of #hbsdfw ( HardenedBSD 13-STABLE + #OPNsense ).
Once the OPNsense boot scripts finish, loading kernel modules will be prohibited.