PHTN-40-000175 - The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.

Information

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222

Solution

Navigate to and open:

/etc/audit/rules.d/audit.STIG.rules

Add or update the following lines:

-a always,exit -F arch=b32 -S init_module -F key=modules
-a always,exit -F arch=b64 -S init_module -F key=modules

At the command line, run the following command to load the new audit rules:

# /sbin/augenrules --load

Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd.

Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.

Item Details

Audit Name: DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1

Category: AUDIT AND ACCOUNTABILITY

Plugin: Unix

Control ID: 16c1cf9f0b43ce036b7aaf31ee1e3c090eac0fff90fae865b2850cfee0d5bcd1

Detections

Analytics

PHTN-40-000175 - The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.

Information

Solution

See Also

Item Details