{"description": "Ensure that loading and unloading of kernel modules is audited.\n\nThe following rules configure audit as described above:\n<pre>## These rules watch for kernel module insertion. By monitoring\n## the syscall, we do not need any watches on programs.\n-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load\n-a always,exit -F arch=b64 -S delete_module -F key=module-unload    </pre>\n\nLoad new Audit rules into kernel by running:\n<pre>augenrules --load</pre>", "rationale": "Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.", "severity": "medium", "references": {"nist": ["AU-2(a)"], "ospp": ["FAU_GEN.1.1.c"], "srg": ["SRG-OS-000471-GPOS-00216", "SRG-OS-000477-GPOS-00222", "SRG-OS-000475-GPOS-00220"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the file does not exist or the content differs", "ocil": "To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:\n<pre>cat /etc/audit/rules.d/43-module-load.rules</pre>\nThe output has to be exactly as follows:\n<pre>## These rules watch for kernel module insertion. By monitoring\n## the syscall, we do not need any watches on programs.\n-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load\n-a always,exit -F arch=b64 -S delete_module -F key=module-unload    </pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["ppc64le_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["ppc64le_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditing of loading and unloading of kernel modules (ppc64le)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/policy_rules/audit_module_load_ppc64le/rule.yml", "template": {"name": "audit_file_contents", "vars": {"filepath": "/etc/audit/rules.d/43-module-load.rules", "contents": "## These rules watch for kernel module insertion. By monitoring\n## the syscall, we do not need any watches on programs.\n-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load\n-a always,exit -F arch=b64 -S delete_module -F key=module-unload"}, "backends": {}}}