Detections
Analytics
GEN002825 - System must be configured to audit load/unload dynamic kernel modules - '/etc/security/audit/events DEV_Stop exists'
Information
Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.Solution
Configure the system to audit the loading and unloading of dynamic kernel modules.Edit /etc/security/audit/events and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events to the list of audited events.
Edit /etc/security/audit/config and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove audit events to an audit class in the classes: stanza.
Edit the /etc/security/audit/config and assign the audit classes that has the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure and DEV_Remove events to the all users listed in the 'users:' stanza.
See Also
https://iasecontent.disa.mil/stigs/zip/U_AIX_6-1_V1R14_STIG.zip
Item Details
Audit Name: DISA STIG AIX 6.1 v1r14
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-2d., CAT|II, CCI|CCI-000126, Group-ID|V-22383, Rule-ID|SV-38858r1_rule, STIG-ID|GEN002825, Vuln-ID|V-22383
Plugin: Unix
Control ID: 7722e98efe9f1330e3e9b5ca8a1efbd0e39b9347c2c16e415fc92eb92867924e