>From 27f076b024f03c81efa0181f8d14ca13f28c8302 Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Tue, 21 Feb 2012 23:03:23 -0500 Subject: [PATCH 10/24] - Updated key (-k audit_kernel_module_loading) - Minor content/syntax adjustments --- rhel6/src/input/system/auditing.xml | 17 +++++++---------- 1 files changed, 7 insertions(+), 10 deletions(-) diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index a950096..71d70b7 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -311,15 +311,13 @@ This script will give you several lines of output, and the output below is from
Take the output of the script and place it into /etc/audit/audit.rules. - -Ensure <tt>auditd</tt> Collects Information on Exporting to Media -(successful) +Ensure <tt>auditd</tt> Collects Information on Exporting to Media (successful) At a minimum the audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as @@ -374,16 +372,15 @@ of what was executed on the system as well as for accountability purposes. -Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading -and Unloading +Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading events:
-
--w /sbin/insmod -p x -k modules
--w /sbin/rmmod -p x -k modules
--w /sbin/modprobe -p x -k modules
--a always,exit -S init_module -S delete_module -k modules
+
# audit_kernel_module_loading
+-w /sbin/insmod -p x -k audit_kernel_module_loading
+-w /sbin/rmmod -p x -k audit_kernel_module_loading
+-w /sbin/modprobe -p x -k audit_kernel_module_loading
+-a always,exit -S init_module -S delete_module -k audit_kernel_module_loading
 The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important -- 1.7.1