STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

DISA Rule

SV-208910r603263_rule

Vulnerability Number

V-208910

Group Title

SRG-OS-000064

Rule Version

OL6-00-000202

Severity

CAT II

CCI(s)

• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events:

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

Check Contents

To determine if the system is configured to audit execution of module management programs, run the following commands:

sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules

If "/sbin/insmod" is not being audited, this is a finding.

If "/sbin/rmmod" is not being audited, this is a finding.

If "/sbin/modprobe" is not being audited, this is a finding.

To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command:

$ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules

-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding.

If the system is not configured to audit "init_module" this is a finding.

If the system is not configured to audit "delete_module", this is a finding.

If no line is returned, this is a finding.

Vulnerability Number

V-208910

Documentable

False

Rule Version

OL6-00-000202

Severity Override Guidance

To determine if the system is configured to audit execution of module management programs, run the following commands:

sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules

-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules

If "/sbin/insmod" is not being audited, this is a finding.

If "/sbin/rmmod" is not being audited, this is a finding.

If "/sbin/modprobe" is not being audited, this is a finding.

To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command:

$ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules

-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding.

If the system is not configured to audit "init_module" this is a finding.

If the system is not configured to audit "delete_module", this is a finding.

If no line is returned, this is a finding.

Check Content Reference

M

Target Key

2928

Comments