Configure auditing of loading and unloading of kernel modules

An XCCDF Rule

Description

Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above:

## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.

ID: xccdf_org.ssgproject.content_rule_audit_module_load
Severity: Medium
References: AU-2(a)

FAU_GEN.1.1.c

SRG-OS-000471-GPOS-00216 SRG-OS-000475-GPOS-00220 SRG-OS-000477-GPOS-00222
Updated: 5 days ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
EOF

chmod o-rwx /etc/audit/rules.d/43-module-load.rules

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AU-2(a)
  - audit_module_load  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy
  copy:
    dest: /etc/audit/rules.d/43-module-load.rules
    content: |
      ## These rules watch for kernel module insertion. By monitoring
      ## the syscall, we do not need any watches on programs.
      -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
      -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
      -a always,exit -F arch=b32 -S delete_module -F key=module-unload
      -a always,exit -F arch=b64 -S delete_module -F key=module-unload
    force: true
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-AU-2(a)
  - audit_module_load
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remove any permissions from other group
  file:
    path: /etc/audit/rules.d/43-module-load.rules
    mode: o-rwx
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-AU-2(a)
  - audit_module_load
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure auditing of loading and unloading of kernel modules

Description

Rationale

Remediation - Shell Script

Remediation - Ansible