OL6-00-000202 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules - insmod

Information

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Solution

Add the following to '/etc/audit/audit.rules' in order to capture kernel module loading and unloading events:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -k modules

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_6_V2R7_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-208910r810473_rule, STIG-ID|OL6-00-000202, STIG-Legacy|SV-64751, STIG-Legacy|V-50545, Vuln-ID|V-208910

Plugin: Unix

Control ID: f47b93a5a81e38918da5d6be32e41c56c1ffb3cb898c3538ec604946a1b673a0