1:40 p.m.
The check for the RHEL7 audit rules for kernel module loading and unloading specifies the
following:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
However, at least on my RHEL7 system, these commands are located in /sbin, not /usr/sbin
(as on RHEL6). This is using the latest git zip (can't manage to pull from git since
the move to github, for some reason).
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CISD, Unix Support
1:46 p.m.
On 07/10/2015 02:40 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
The check for the RHEL7 audit rules for kernel module loading and
unloading specifies the following:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
However, at least on my RHEL7 system, these commands are located in /sbin, not /usr/sbin
(as on RHEL6). This is using the latest git zip (can't manage to pull from git since
the move to github, for some reason).
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CISD, Unix Support
/sbin is a symlink to /usr/sbin on my RHEL 7 system, and the binaries
you mention are still located in /usr/sbin as before:
$ ls -ld /sbin
lrwxrwxrwx. 1 root root 8 Jun 25 2014 /sbin -> usr/sbin/
$ which insmod
/usr/sbin/insmod
$ which rmmod
/usr/sbin/rmmod
$ which modprobe
/usr/sbin/modprobe
Can you check if your /sbin is a symlink or a real directory?
- Maura Dailey
maura(a)eclipse.ncsc.mil
1:48 p.m.
On Friday, July 10, 2015 06:40:52 PM Shaw, Ray V CTR USARMY ARL wrote:
The check for the RHEL7 audit rules for kernel module loading and
unloading
specifies the following:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
However, at least on my RHEL7 system, these commands are located in /sbin,
not /usr/sbin (as on RHEL6).
/sbin should be a symlink to /usr/sbin
More info:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
This is using the latest git zip (can't manage to pull from git
since the move to github, for some reason).
Check to see if /usr/sbin/insmod exists. Maybe the PATH variable has
directories in the wrong order and it resolves the symlink first? Either way,
the audit system should be smart enough to figure this out because it
resolves to the same inode.
-Steve
3228
days inactive
3228
days old
scap-security-guide@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Maura Dailey -
Shaw, Ray V CTR USARMY RDECOM ARL (US) -
Steve Grubb