4.1.17 Ensure kernel module loading and unloading is collected - auditctl modprobe

Information

Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules.

Solution

For 32 bit systems add the following lines to the /etc/audit/audit.rules file:
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b32 -S init_module -S delete_module -k modules

For 64 bit systems add the following lines to the /etc/audit/audit.rules file:
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit arch=b64 -S init_module -S delete_module -k modules

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|3

Plugin: Unix

Control ID: c78d9f1e5bcc398fbf4ad8e464ecb33b226f2144629f931703ca6c450aff7f26