Profile Applicability:
• Level 2
Description:
Kernel modules extend the functionality of the operating system. Monitoring and auditing module loading, unloading, and modifications is critical to detect unauthorized or malicious activity that could compromise system security.
Rationale:
Collecting audit logs for kernel module events provides visibility into critical changes, enabling timely detection of suspicious activities and maintaining system integrity.
Impact:
Pros:
Enhances detection of unauthorized kernel module manipulations.
Supports forensic investigations and compliance requirements.
Cons:
May increase audit log volume and require log management.
Default Value:
Audit rules for kernel module events may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check current audit rules for kernel module events:
auditctl -l | grep 'module'
Verify audit rules exist for syscall init_module, delete_module, and relevant file watches.
Implementation Plan:
Using Linux command line:
Add audit rules to monitor kernel module events:
auditctl -w /sbin/insmod -p x -k module-change auditctl -w /sbin/rmmod -p x -k module-change auditctl -a always,exit -F arch=b64 -S init_module -S delete_module -k module-change
Persist rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove kernel module audit rules as needed:
auditctl -W /sbin/insmod -p x -k module-change auditctl -W /sbin/rmmod -p x -k module-change auditctl -D -k module-change
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0