Differences
This shows you the differences between two versions of the page.
| — |
centos7:4:1:17 [2017/05/04 16:15] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== 4.1.17 Ensure kernel module loading and unloading is collected (Scored) ====== | ||
| + | =====Profile Applicability===== | ||
| + | <code> | ||
| + | Level 2 - Server | ||
| + | Level 2 - Workstation | ||
| + | </code> | ||
| + | =====Description===== | ||
| + | Monitor the loading and unloading of kernel modules. The programs ''insmod'' (install a kernel module), ''rmmod'' (remove a kernel module), and ''modprobe'' (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The ''init_module'' (load a module) and ''delete_module'' (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules". | ||
| + | =====Rationale===== | ||
| + | Monitoring the use of ''insmod'', ''rmmod'' and ''modprobe'' could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the ''init_module'' and ''delete_module'' system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. | ||
| + | =====Audit===== | ||
| + | On a 32 bit system run the following command and verify the output matches: | ||
| + | <Code:bash> | ||
| + | # grep modules /etc/audit/audit.rules | ||
| + | -w /sbin/insmod -p x -k modules | ||
| + | -w /sbin/rmmod -p x -k modules | ||
| + | -w /sbin/modprobe -p x -k modules | ||
| + | -a always,exit arch=b32 -S init_module -S delete_module -k modules | ||
| + | </Code> | ||
| + | On a 64 bit system run the following command and verify the output matches: | ||
| + | <Code:bash> | ||
| + | # grep modules /etc/audit/audit.rules | ||
| + | -w /sbin/insmod -p x -k modules | ||
| + | -w /sbin/rmmod -p x -k modules | ||
| + | -w /sbin/modprobe -p x -k modules | ||
| + | -a always,exit arch=b64 -S init_module -S delete_module -k modules | ||
| + | </Code> | ||
| + | =====Remediation===== | ||
| + | For 32 bit systems add the following lines to the ''/etc/audit/audit.rules'' file: | ||
| + | <Code:bash> | ||
| + | -w /sbin/insmod -p x -k modules | ||
| + | -w /sbin/rmmod -p x -k modules | ||
| + | -w /sbin/modprobe -p x -k modules | ||
| + | -a always,exit arch=b32 -S init_module -S delete_module -k modules | ||
| + | </Code> | ||
| + | For 64 bit systems add the following lines to the ''/etc/audit/audit.rules'' file: | ||
| + | <Code:bash> | ||
| + | -w /sbin/insmod -p x -k modules | ||
| + | -w /sbin/rmmod -p x -k modules | ||
| + | -w /sbin/modprobe -p x -k modules | ||
| + | -a always,exit arch=b64 -S init_module -S delete_module -k modules | ||
| + | </Code> | ||
