On 07/10/2015 02:40 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
The check for the RHEL7 audit rules for kernel module loading and
unloading specifies the following:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
However, at least on my RHEL7 system, these commands are located in /sbin, not /usr/sbin
(as on RHEL6). This is using the latest git zip (can't manage to pull from git since
the move to github, for some reason).
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CISD, Unix Support
/sbin is a symlink to /usr/sbin on my RHEL 7 system, and the binaries
you mention are still located in /usr/sbin as before:
$ ls -ld /sbin
lrwxrwxrwx. 1 root root 8 Jun 25 2014 /sbin -> usr/sbin/
$ which insmod
/usr/sbin/insmod
$ which rmmod
/usr/sbin/rmmod
$ which modprobe
/usr/sbin/modprobe
Can you check if your /sbin is a symlink or a real directory?
- Maura Dailey
maura(a)eclipse.ncsc.mil