|
|
71d622 |
From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001
|
|
|
71d622 |
From: Marek Haicman <mhaicman@redhat.com>
|
|
|
71d622 |
Date: Thu, 22 Feb 2018 22:49:54 +0100
|
|
|
71d622 |
Subject: [PATCH 1/2] Fix kernel module loading and unloading rules
|
|
|
71d622 |
|
|
|
71d622 |
Fixed rule descriptions to make more sense, and fixing remediation
|
|
|
71d622 |
of general rule to set auditing of both b32 and b64 syscalls on
|
|
|
71d622 |
64-bit systems.
|
|
|
71d622 |
---
|
|
|
71d622 |
.../bash/audit_rules_kernel_module_loading.sh | 10 +-
|
|
|
71d622 |
.../audit_rules_kernel_module_loading_delete.sh | 8 +-
|
|
|
71d622 |
.../bash/audit_rules_kernel_module_loading_init.sh | 8 +-
|
|
|
71d622 |
shared/xccdf/system/auditing.xml | 161 ++++++++++-----------
|
|
|
71d622 |
4 files changed, 91 insertions(+), 96 deletions(-)
|
|
|
71d622 |
|
|
|
71d622 |
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
|
|
|
71d622 |
index 12d6dd0181..268da407f7 100644
|
|
|
71d622 |
--- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh
|
|
|
71d622 |
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
|
|
|
71d622 |
@@ -5,11 +5,11 @@
|
|
|
71d622 |
|
|
|
71d622 |
# First perform the remediation of the syscall rule
|
|
|
71d622 |
# Retrieve hardware architecture of the underlying system
|
|
|
71d622 |
-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
|
|
|
71d622 |
-# it's not required on a 64-bit system to check also for the presence
|
|
|
71d622 |
-# of 32-bit's equivalent of the corresponding rule. Therefore for
|
|
|
71d622 |
-# each system it's enought to check presence of system's native rule form.
|
|
|
71d622 |
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
|
|
|
71d622 |
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
|
|
|
71d622 |
+# it's required on a 64-bit system to check also for the presence
|
|
|
71d622 |
+# of 32-bit's equivalent of the corresponding rule.
|
|
|
71d622 |
+# (See `man 7 audit.rules` for details )
|
|
|
71d622 |
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
71d622 |
|
|
|
71d622 |
for ARCH in "${RULE_ARCHS[@]}"
|
|
|
71d622 |
do
|
|
|
71d622 |
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
|
|
|
71d622 |
index 59aadeeef8..131f1a2819 100644
|
|
|
71d622 |
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
|
|
|
71d622 |
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
|
|
|
71d622 |
@@ -5,10 +5,10 @@
|
|
|
71d622 |
|
|
|
71d622 |
# First perform the remediation of the syscall rule
|
|
|
71d622 |
# Retrieve hardware architecture of the underlying system
|
|
|
71d622 |
-# If the system has a 32-bit processor, only the 32-bit rule is needed.
|
|
|
71d622 |
-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
|
|
|
71d622 |
-# the audit file because it is not possible to know if the computer will be booted
|
|
|
71d622 |
-# in 64 or 32 bit mode or for which architecture a binary is compiled.
|
|
|
71d622 |
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
|
|
|
71d622 |
+# it's required on a 64-bit system to check also for the presence
|
|
|
71d622 |
+# of 32-bit's equivalent of the corresponding rule.
|
|
|
71d622 |
+# (See `man 7 audit.rules` for details )
|
|
|
71d622 |
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
71d622 |
|
|
|
71d622 |
for ARCH in "${RULE_ARCHS[@]}"
|
|
|
71d622 |
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
|
|
|
71d622 |
index 04b06f9dee..c46a854068 100644
|
|
|
71d622 |
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
|
|
|
71d622 |
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
|
|
|
71d622 |
@@ -5,10 +5,10 @@
|
|
|
71d622 |
|
|
|
71d622 |
# First perform the remediation of the syscall rule
|
|
|
71d622 |
# Retrieve hardware architecture of the underlying system
|
|
|
71d622 |
-# If the system has a 32-bit processor, only the 32-bit rule is needed.
|
|
|
71d622 |
-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
|
|
|
71d622 |
-# the audit file because it is not possible to know if the computer will be booted
|
|
|
71d622 |
-# in 64 or 32 bit mode or for which architecture a binary is compiled.
|
|
|
71d622 |
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
|
|
|
71d622 |
+# it's required on a 64-bit system to check also for the presence
|
|
|
71d622 |
+# of 32-bit's equivalent of the corresponding rule.
|
|
|
71d622 |
+# (See `man 7 audit.rules` for details )
|
|
|
71d622 |
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
|
|
|
71d622 |
|
|
|
71d622 |
for ARCH in "${RULE_ARCHS[@]}"
|
|
|
71d622 |
diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml
|
|
|
71d622 |
index 85487ee417..b68820fe9b 100644
|
|
|
71d622 |
--- a/shared/xccdf/system/auditing.xml
|
|
|
71d622 |
+++ b/shared/xccdf/system/auditing.xml
|
|
|
71d622 |
@@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a
|
|
|
71d622 |
Ensuring the <tt>auditd</tt> service is active ensures audit records
|
|
|
71d622 |
generated by the kernel are appropriately recorded.
|
|
|
71d622 |
|
|
|
71d622 |
-Additionally, a properly configured audit subsystem ensures that actions of
|
|
|
71d622 |
+Additionally, a properly configured audit subsystem ensures that actions of
|
|
|
71d622 |
individual system users can be uniquely traced to those users so they
|
|
|
71d622 |
can be held accountable for their actions.
|
|
|
71d622 |
</rationale>
|
|
|
71d622 |
@@ -727,7 +727,7 @@ with limited audit storage capacity.
|
|
|
71d622 |
</rationale>
|
|
|
71d622 |
<platform idref="cpe:/a:machine" />
|
|
|
71d622 |
<ident cce="80541-6"/>
|
|
|
71d622 |
-<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" />
|
|
|
71d622 |
+<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" />
|
|
|
71d622 |
<ref disa="1851" nist="" srg="SRG-OS-000342-GPOS-00133" stigid="030300"/>
|
|
|
71d622 |
</Rule>
|
|
|
71d622 |
|
|
|
71d622 |
@@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes.
|
|
|
71d622 |
|
|
|
71d622 |
<Group id="audit_kernel_module_loading">
|
|
|
71d622 |
<title>Record Information on Kernel Modules Loading and Unloading</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
--w /usr/sbin/rmmod -p x -k modules
|
|
|
71d622 |
--w /usr/sbin/modprobe -p x -k modules
|
|
|
71d622 |
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
+<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
|
|
|
71d622 |
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
|
|
|
71d622 |
+
|
|
|
71d622 |
+-w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
-w /usr/sbin/rmmod -p x -k modules
|
|
|
71d622 |
-w /usr/sbin/modprobe -p x -k modules
|
|
|
71d622 |
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
|
|
|
71d622 |
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
|
|
|
71d622 |
+
|
|
|
71d622 |
+
|
|
|
71d622 |
+Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the lines to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
|
|
|
71d622 |
<Rule id="audit_rules_kernel_module_loading" severity="medium" prodtype="rhel7">
|
|
|
71d622 |
<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
--w /usr/sbin/rmmod -p x -k modules
|
|
|
71d622 |
--w /usr/sbin/modprobe -p x -k modules
|
|
|
71d622 |
--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
+<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
|
|
|
71d622 |
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
|
|
|
71d622 |
+
|
|
|
71d622 |
+-w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
-w /usr/sbin/rmmod -p x -k modules
|
|
|
71d622 |
-w /usr/sbin/modprobe -p x -k modules
|
|
|
71d622 |
--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
|
|
|
71d622 |
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
|
|
|
71d622 |
+
|
|
|
71d622 |
+
|
|
|
71d622 |
+Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the lines to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
<ocil>
|
|
|
71d622 |
<audit-syscall-check-macro syscall="init_module" />
|
|
|
71d622 |
@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel.
|
|
|
71d622 |
</Rule>
|
|
|
71d622 |
|
|
|
71d622 |
<Rule id="audit_rules_kernel_module_loading_init" severity="medium" prodtype="rhel7">
|
|
|
71d622 |
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--a always,exit -F arch=ARCH -S init_module -F key=modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module</title>
|
|
|
71d622 |
+<description>To capture kernel module loading events, use following line, setting ARCH to
|
|
|
71d622 |
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
|
|
|
71d622 |
-a always,exit -F arch=ARCH -S init_module -F key=modules
|
|
|
71d622 |
+
|
|
|
71d622 |
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the line to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
<ocil>
|
|
|
71d622 |
<audit-syscall-check-macro syscall="init_module" />
|
|
|
71d622 |
</ocil>
|
|
|
71d622 |
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
+<rationale>The addition of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
the kernel and potentially introduce malicious code into kernel space. It is important
|
|
|
71d622 |
to have an audit trail of modules that have been introduced into the kernel.</rationale>
|
|
|
71d622 |
<platform idref="cpe:/a:machine" />
|
|
|
71d622 |
@@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel.
|
|
|
71d622 |
</Rule>
|
|
|
71d622 |
|
|
|
71d622 |
<Rule id="audit_rules_kernel_module_loading_delete" severity="medium" prodtype="rhel7">
|
|
|
71d622 |
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--a always,exit -F arch=ARCH -S delete_module -F key=modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module</title>
|
|
|
71d622 |
+<description>To capture kernel module unloading events, use following line, setting ARCH to
|
|
|
71d622 |
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
|
|
|
71d622 |
-a always,exit -F arch=ARCH -S delete_module -F key=modules
|
|
|
71d622 |
+
|
|
|
71d622 |
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the line to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
<ocil>
|
|
|
71d622 |
<audit-syscall-check-macro syscall="delete_module" />
|
|
|
71d622 |
</ocil>
|
|
|
71d622 |
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
+<rationale>The removal of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
the kernel and potentially introduce malicious code into kernel space. It is important
|
|
|
71d622 |
to have an audit trail of modules that have been introduced into the kernel.</rationale>
|
|
|
71d622 |
<platform idref="cpe:/a:machine" />
|
|
|
71d622 |
@@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel.
|
|
|
71d622 |
</Rule>
|
|
|
71d622 |
|
|
|
71d622 |
<Rule id="audit_rules_kernel_module_loading_insmod" severity="medium" prodtype="rhel7">
|
|
|
71d622 |
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod</title>
|
|
|
71d622 |
+<description>To capture invocation of insmod, utility used to insert modules into kernel,
|
|
|
71d622 |
+use the following line:
|
|
|
71d622 |
-w /usr/sbin/insmod -p x -k modules
|
|
|
71d622 |
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the line to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
<ocil clause="there is not output">
|
|
|
71d622 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
71d622 |
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
|
|
|
71d622 |
</ocil>
|
|
|
71d622 |
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
+<rationale>The addition of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
the kernel and potentially introduce malicious code into kernel space. It is important
|
|
|
71d622 |
to have an audit trail of modules that have been introduced into the kernel.</rationale>
|
|
|
71d622 |
<platform idref="cpe:/a:machine" />
|
|
|
71d622 |
@@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel.
|
|
|
71d622 |
</Rule>
|
|
|
71d622 |
|
|
|
71d622 |
<Rule id="audit_rules_kernel_module_loading_rmmod" severity="medium" prodtype="rhel7">
|
|
|
71d622 |
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/rmmod -p x -k modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod</title>
|
|
|
71d622 |
+<description>To capture invocation of rmmod, utility used to remove modules from kernel,
|
|
|
71d622 |
+add the following line:
|
|
|
71d622 |
-w /usr/sbin/rmmod -p x -k modules
|
|
|
71d622 |
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the line to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
<ocil clause="there is not output">
|
|
|
71d622 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
71d622 |
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
|
|
|
71d622 |
</ocil>
|
|
|
71d622 |
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
+<rationale>The removal of kernel modules can be used to alter the behavior of
|
|
|
71d622 |
the kernel and potentially introduce malicious code into kernel space. It is important
|
|
|
71d622 |
to have an audit trail of modules that have been introduced into the kernel.</rationale>
|
|
|
71d622 |
<platform idref="cpe:/a:machine" />
|
|
|
71d622 |
@@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel.
|
|
|
71d622 |
|
|
|
71d622 |
<Rule id="audit_rules_kernel_module_loading_modprobe" severity="medium" prodtype="rhel7">
|
|
|
71d622 |
<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe</title>
|
|
|
71d622 |
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
|
|
|
71d622 |
-to read audit rules during daemon startup (the default), add the following lines to a file
|
|
|
71d622 |
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
|
|
|
71d622 |
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
|
|
|
71d622 |
--w /usr/sbin/modprobe -p x -k modules
|
|
|
71d622 |
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
|
|
|
71d622 |
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
|
|
|
71d622 |
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
|
|
|
71d622 |
-b64 as appropriate for your system:
|
|
|
71d622 |
+<description>To capture invocation of modprobe, utility used to insert / remove modules from kernel,
|
|
|
71d622 |
+add the following line:
|
|
|
71d622 |
-w /usr/sbin/modprobe -p x -k modules
|
|
|
71d622 |
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
|
|
|
71d622 |
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
|
|
|
71d622 |
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
71d622 |
+
|
|
|
71d622 |
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
|
|
|
71d622 |
+add the line to file <tt>/etc/audit/audit.rules</tt>.
|
|
|
71d622 |
</description>
|
|
|
71d622 |
<ocil clause="there is not output">
|
|
|
71d622 |
To verify that auditing is configured for system administrator actions, run the following command:
|
|
|
71d622 |
|
|
|
71d622 |
From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001
|
|
|
71d622 |
From: Marek Haicman <mhaicman@redhat.com>
|
|
|
71d622 |
Date: Thu, 22 Feb 2018 23:13:29 +0100
|
|
|
71d622 |
Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading
|
|
|
71d622 |
rules
|
|
|
71d622 |
|
|
|
71d622 |
---
|
|
|
71d622 |
.../rule_audit_rules_kernel_module_loading/default.fail.sh | 7 +++++++
|
|
|
71d622 |
.../rule_audit_rules_kernel_module_loading_delete/default.fail.sh | 7 +++++++
|
|
|
71d622 |
.../rule_audit_rules_kernel_module_loading_init/default.fail.sh | 7 +++++++
|
|
|
71d622 |
.../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh | 7 +++++++
|
|
|
71d622 |
.../default.fail.sh | 7 +++++++
|
|
|
71d622 |
.../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh | 7 +++++++
|
|
|
71d622 |
6 files changed, 42 insertions(+)
|
|
|
71d622 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
|
|
|
71d622 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
|
|
|
71d622 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
|
|
|
71d622 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
|
|
|
71d622 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
|
|
|
71d622 |
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
|
|
|
71d622 |
|
|
|
71d622 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
|
|
|
71d622 |
new file mode 100644
|
|
|
71d622 |
index 0000000000..48457258e5
|
|
|
71d622 |
--- /dev/null
|
|
|
71d622 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
|
|
|
71d622 |
@@ -0,0 +1,7 @@
|
|
|
71d622 |
+#!/bin/bash
|
|
|
71d622 |
+# profiles = xccdf_org.ssgproject.content_profile_C2S
|
|
|
71d622 |
+# remediation = bash
|
|
|
71d622 |
+
|
|
|
71d622 |
+rm -f /etc/audit/rules.d/*
|
|
|
71d622 |
+> /etc/audit/audit.rules
|
|
|
71d622 |
+true
|
|
|
71d622 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
|
|
|
71d622 |
new file mode 100644
|
|
|
71d622 |
index 0000000000..12fe012776
|
|
|
71d622 |
--- /dev/null
|
|
|
71d622 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
|
|
|
71d622 |
@@ -0,0 +1,7 @@
|
|
|
71d622 |
+#!/bin/bash
|
|
|
71d622 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
71d622 |
+# remediation = bash
|
|
|
71d622 |
+
|
|
|
71d622 |
+rm -f /etc/audit/rules.d/*
|
|
|
71d622 |
+> /etc/audit/audit.rules
|
|
|
71d622 |
+true
|
|
|
71d622 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
|
|
|
71d622 |
new file mode 100644
|
|
|
71d622 |
index 0000000000..12fe012776
|
|
|
71d622 |
--- /dev/null
|
|
|
71d622 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
|
|
|
71d622 |
@@ -0,0 +1,7 @@
|
|
|
71d622 |
+#!/bin/bash
|
|
|
71d622 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
71d622 |
+# remediation = bash
|
|
|
71d622 |
+
|
|
|
71d622 |
+rm -f /etc/audit/rules.d/*
|
|
|
71d622 |
+> /etc/audit/audit.rules
|
|
|
71d622 |
+true
|
|
|
71d622 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
|
|
|
71d622 |
new file mode 100644
|
|
|
71d622 |
index 0000000000..12fe012776
|
|
|
71d622 |
--- /dev/null
|
|
|
71d622 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
|
|
|
71d622 |
@@ -0,0 +1,7 @@
|
|
|
71d622 |
+#!/bin/bash
|
|
|
71d622 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
71d622 |
+# remediation = bash
|
|
|
71d622 |
+
|
|
|
71d622 |
+rm -f /etc/audit/rules.d/*
|
|
|
71d622 |
+> /etc/audit/audit.rules
|
|
|
71d622 |
+true
|
|
|
71d622 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
|
|
|
71d622 |
new file mode 100644
|
|
|
71d622 |
index 0000000000..12fe012776
|
|
|
71d622 |
--- /dev/null
|
|
|
71d622 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
|
|
|
71d622 |
@@ -0,0 +1,7 @@
|
|
|
71d622 |
+#!/bin/bash
|
|
|
71d622 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
71d622 |
+# remediation = bash
|
|
|
71d622 |
+
|
|
|
71d622 |
+rm -f /etc/audit/rules.d/*
|
|
|
71d622 |
+> /etc/audit/audit.rules
|
|
|
71d622 |
+true
|
|
|
71d622 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
|
|
|
71d622 |
new file mode 100644
|
|
|
71d622 |
index 0000000000..12fe012776
|
|
|
71d622 |
--- /dev/null
|
|
|
71d622 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
|
|
|
71d622 |
@@ -0,0 +1,7 @@
|
|
|
71d622 |
+#!/bin/bash
|
|
|
71d622 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
71d622 |
+# remediation = bash
|
|
|
71d622 |
+
|
|
|
71d622 |
+rm -f /etc/audit/rules.d/*
|
|
|
71d622 |
+> /etc/audit/audit.rules
|
|
|
71d622 |
+true
|