An error occurred:

Check: RHEL-06-000202

Red Hat Enterprise Linux 6 STIG: RHEL-06-000202 (in versions v2 r2 through v1 r23)

Title

The audit system must be configured to audit the loading and unloading of dynamic kernel modules. (Cat II impact)

Discussion

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Check Content

To determine if the system is configured to audit execution of module management programs, run the following commands: $ sudo egrep -e "(-w |-F path=)/sbin/insmod|(-w |-F path=)/sbin/rmmod|(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules If "/sbin/insmod" is not being audited, this is a finding. If "/sbin/rmmod" is not being audited, this is a finding. If "/sbin/modprobe" is not being audited, this is a finding. To determine if the system is configured to audit calls to the "init_module" and "delete_module" system calls, run the following command: $ sudo egrep -w "init_module|delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If the system is not configured to audit "init_module" this is a finding. If the system is not configured to audit "delete_module", this is a finding. If no line is returned, this is a finding.

Fix Text

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S init_module -S delete_module -k modules

Additional Identifiers

Rule ID: SV-217980r603264_rule

Vulnerability ID: V-217980

Group Title: SRG-OS-000064

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000172

The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12

Audit Generation