diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md
index b6f5657..3bcfe65 100644
--- a/content/posts/linux/Desktop Linux Hardening.md	
+++ b/content/posts/linux/Desktop Linux Hardening.md	
@@ -361,6 +361,7 @@ There are a few things in this config to keep in mind:
 
 - Bluetooth is disabled. Comment out the `install bluetooth` and `install btusb` lines to use Bluetooth.
 - Thunderbolt is disabled. Comment out the `install thunderbolt` line to use Thunderbolt devices.
+- The `cdrom` and `sr_mod` modules are merely _blacklisted_; they can still be loaded at runtime with `modprobe`. If you have no intention to ever use CD‑ROM devices, they should be _disabled_ by replacing `blacklist` with `install` for the lines with the aforementioned modules. ([More about how this works on the ArchWiki](https://wiki.archlinux.org/title/Kernel_module#Using_files_in_/etc/modprobe.d/_2))
 - Apple filesystems are disabled. While generally fine on non‑Apple systems, if you are using an Apple device you **must** check the filesystem of your EFI partition and comment out the relevant `install` line, otherwise your Linux install will not boot. For example, comment out the `install hfsplus` line if your ESP filesystem is HFS+.
 
 #### Restricting access to /proc and /sys