To capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -F key=modules
The place to add the lines depends on a way auditd
daemon is configured. If it is configured
to use the augenrules
program (the default), add the lines to a file with suffix
.rules
in the directory /etc/audit/rules.d
.
If the auditd
daemon is configured to use the auditctl
utility,
add the lines to file /etc/audit/audit.rules
.