GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/config DEV_Create exists'

Information

Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.

Solution

Configure the system to audit the loading and unloading of dynamic kernel modules.

Edit /etc/security/audit/events and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events to the list of audited events.

Edit /etc/security/audit/config and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove audit events to an audit class in the classes: stanza.

Edit the /etc/security/audit/config and assign the audit classes that has the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure and DEV_Remove events to the all users listed in the 'users:' stanza.

See Also

https://iasecontent.disa.mil/stigs/zip/U_AIX_6-1_V1R14_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2d., CAT|II, CCI|CCI-000126, Group-ID|V-22383, Rule-ID|SV-38858r1_rule, STIG-ID|GEN002825, Vuln-ID|V-22383

Plugin: Unix

Control ID: 7722e98efe9f1330e3e9b5ca8a1efbd0e39b9347c2c16e415fc92eb92867924e