{"description": "To capture kernel module loading and unloading events, use following lines, setting ARCH to\neither b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>\n-a always,exit -F arch=<i>ARCH</i> -S init_module,finit_module,delete_module -F key=modules\n</pre>\n\nThe place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured\nto use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,\nadd the lines to file <tt>/etc/audit/audit.rules</tt>.", "rationale": "The addition/removal of kernel modules can be used to alter the behavior of\nthe kernel and potentially introduce malicious code into kernel space. It is important\nto have an audit trail of modules that have been introduced into the kernel.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.7"], "ism": ["0582"]}, "control_references": {"ism": ["0582"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>init_module</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"init_module\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>finit_module</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"finit_module\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>delete_module</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"delete_module\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on Kernel Module Loading and Unloading", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml", "template": null}