{"description": "\nTo capture kernel module loading and unloading events, use the following line, setting ARCH to\neither b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:\n\n<pre>-a always,exit -F arch=<i>ARCH</i> -S query_module -F auid>=1000 -F auid!=unset -F key=modules</pre>\n\n\nPlace to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured\nto use the <tt>augenrules</tt> program (the default), add the line to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,\nadd the line to file <tt>/etc/audit/audit.rules</tt>.", "rationale": "The addition/removal of kernel modules can be used to alter the behavior of\nthe kernel and potentially introduce malicious code into kernel space. It is important\nto have an audit trail of modules that have been introduced into the kernel.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>query_module</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"query_module\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"query_module\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/module_chng.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n-a always,exit -F arch=b32 -S query_module -F auid>=1000 -F auid!=unset -k module_chng\n-a always,exit -F arch=b64 -S query_module -F auid>=1000 -F auid!=unset -k module_chng\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must audit all uses of the query_module command.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_query/rule.yml", "template": {"name": "audit_rules_kernel_module_loading", "vars": {"name": "query_module", "syscall_grouping": ["create_module", "delete_module", "finit_module", "init_module", "query_module"]}, "backends": {}}}