Detections
Analytics

5.2.3.19 Ensure kernel module loading unloading and modification is collected

Information

Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links.

The following system calls control loading and unloading of modules:

init_module - load a module

finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided)

delete_module - delete a module

create_module - create a loadable module entry

query_module - query the kernel for various bits pertaining to modules

Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules.

Rationale:

Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system.

Solution

Create audit rules

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification.

64 Bit systems

Example:

# {
UID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)
[ -n '${UID_MIN}' ] && printf '
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
' >> /etc/audit/rules.d/50-kernel_modules.rules || printf 'ERROR: Variable 'UID_MIN' is unset.
'
}

Load audit rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules
'; fi

Additional Information:

Potential reboot required

If the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.

System call structure

For performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 1f31a7832083413ceeb9e7d1cbbe91c27aab749fbcec67e42233e80e1a7dc825