RHEL-06-000202 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules - /sbin/insmod.

Information

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Solution

Add the following to '/etc/audit/audit.rules' in order to capture kernel module loading and unloading events:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-217980r603264_rule, STIG-ID|RHEL-06-000202, STIG-Legacy|SV-50381, STIG-Legacy|V-38580, Vuln-ID|V-217980

Plugin: Unix

Control ID: ac5f191baee744da591a78fba7244a1f4a80d44b3d934250a6b7fb0a686d102e