GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Remove exists'

Information

Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.

Solution

Configure the system to audit the loading and unloading of dynamic kernel modules.
Edit /etc/security/audit/events and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events to the list of audited events.
Edit /etc/security/audit/config and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove audit events to an audit class in the classes: stanza.
Edit the /etc/security/audit/config and assign the audit classes that has the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure and DEV_Remove events to the all users listed in the 'users:' stanza.

See Also

http://iasecontent.disa.mil/stigs/zip/U_STIG_Library_2015_07.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2d., CAT|II, CCI|CCI-000126, Rule-ID|SV-38858r1_rule, STIG-ID|GEN002825, Vuln-ID|V-22383

Plugin: Unix

Control ID: 36c7cfc0f77d3d782b9a905b35a7ad5021ae3e51dbd03849b92e2ea12b7f7583