If the auditd
daemon is configured to use the augenrules
program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules
in the directory /etc/audit/rules.d
to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd
daemon is configured to use the auditctl
utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules
file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S query_module -F auid>=1000 -F auid!=unset -F key=modules