Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== 4.1.17 Ensure kernel module loading and unloading is collected (Scored) ====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== Monitor the loading and unloading of kernel modules. The programs ''insmod'' (install a kernel module), ''rmmod'' (remove a kernel module), and ''modprobe'' (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The ''init_module'' (load a module) and ''delete_module'' (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules". =====Rationale===== Monitoring the use of ''insmod'', ''rmmod'' and ''modprobe'' could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the ''init_module'' and ''delete_module'' system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. =====Audit===== On a 32 bit system run the following command and verify the output matches: <Code:bash> # grep modules /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit arch=b32 -S init_module -S delete_module -k modules </Code> On a 64 bit system run the following command and verify the output matches: <Code:bash> # grep modules /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit arch=b64 -S init_module -S delete_module -k modules </Code> =====Remediation===== For 32 bit systems add the following lines to the ''/etc/audit/audit.rules'' file: <Code:bash> -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit arch=b32 -S init_module -S delete_module -k modules </Code> For 64 bit systems add the following lines to the ''/etc/audit/audit.rules'' file: <Code:bash> -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit arch=b64 -S init_module -S delete_module -k modules </Code> centos7/4/1/17.txt Last modified: 2017/05/04 18:15by 127.0.0.1