{"description": "\nTo capture kernel module loading and unloading events, use the following line, setting ARCH to\neither b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:\n\n<pre>-a always,exit -F arch=<i>ARCH</i> -S finit_module -F auid>=1000 -F auid!=unset -F key=modules</pre>\n\n\nPlace to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured\nto use the <tt>augenrules</tt> program (the default), add the line to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,\nadd the line to file <tt>/etc/audit/audit.rules</tt>.", "rationale": "The addition/removal of kernel modules can be used to alter the behavior of\nthe kernel and potentially introduce malicious code into kernel space. It is important\nto have an audit trail of modules that have been introduced into the kernel.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.7"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-OS-000471-GPOS-00216", "SRG-OS-000477-GPOS-00222", "SRG-APP-000495-CTR-001235", "SRG-APP-000504-CTR-001280"], "anssi": ["R73"], "cis": ["6.3.3.19"], "stigid": ["UBTU-22-654175"], "stigref": ["SV-260637r958446_rule"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.19"], "stigid": ["UBTU-22-654175"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>finit_module</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"finit_module\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"finit_module\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/module_chng.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must audit all uses of the finit_module command.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must audit all uses of the init_module and finit_module system calls.", "vuldiscussion": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "checktext": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"init_module\" and \"finit_module\" syscalls with the following command:\n\n$ sudo auditctl -l | grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid&gt;=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid&gt;=1000 -F auid!=unset -k module_chng\n\nIf both the \"b32\" and \"b64\" audit rules are not defined for the \"delete_module\" syscall, or any of the lines returned are commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate an audit event for any successful/unsuccessful use of the \"init_module\" and \"finit_module\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F auid&gt;=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module -F auid&gt;=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml", "template": {"name": "audit_rules_kernel_module_loading", "vars": {"name": "finit_module", "syscall_grouping": ["create_module", "delete_module", "finit_module", "init_module", "query_module"]}, "backends": {}}}