Skip to content

Configure auditing of loading and unloading of kernel modules (ppc64le)

An XCCDF Rule

Description

Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above:

## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S delete_module -F key=module-unload    
Load new Audit rules into kernel by running:
augenrules --load

Rationale

Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.

ID
xccdf_org.ssgproject.content_rule_audit_module_load_ppc64le
Severity
Medium
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:

Remediation - Ansible

- name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy
  copy:
    dest: /etc/audit/rules.d/43-module-load.rules
    content: |
      ## These rules watch for kernel module insertion. By monitoring
      ## the syscall, we do not need any watches on programs.

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -q ppc64le /proc/sys/kernel/osrelease; }; then

cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.