On Friday, July 10, 2015 06:40:52 PM Shaw, Ray V CTR USARMY ARL wrote:
The check for the RHEL7 audit rules for kernel module loading and
unloading
specifies the following:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
However, at least on my RHEL7 system, these commands are located in /sbin,
not /usr/sbin (as on RHEL6).
/sbin should be a symlink to /usr/sbin
More info:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
This is using the latest git zip (can't manage to pull from git
since the move to github, for some reason).
Check to see if /usr/sbin/insmod exists. Maybe the PATH variable has
directories in the wrong order and it resolves the symlink first? Either way,
the audit system should be smart enough to figure this out because it
resolves to the same inode.
-Steve