Configure auditing of loading and unloading of kernel modules
An XCCDF Rule
Description
Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above:
## These rules watch for kernel module insertion. By monitoring ## the syscall, we do not need any watches on programs. -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unloadLoad new Audit rules into kernel by running:
augenrules --load
Rationale
Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- ID
- xccdf_org.ssgproject.content_rule_audit_module_load
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy
copy:
dest: /etc/audit/rules.d/43-module-load.rules
content: |
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.