{"description": "To capture kernel module loading and unloading events, use following lines, setting ARCH to\neither b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>\n-a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules\n</pre>\n\nPlace to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured\nto use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,\nadd the lines to file <tt>/etc/audit/audit.rules</tt>.", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["audit_rules_kernel_module_loading", "audit_rules_kernel_module_loading_create", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading_finit", "audit_rules_kernel_module_loading_init", "audit_rules_kernel_module_loading_query"], "platform": "", "platforms": [], "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "title": "Record Information on Kernel Modules Loading and Unloading", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/group.yml"}