← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the kmod command

audit-cmd-kmod · RHEL ≥ 8 · 1 impl

Description

All uses of the kmod command must be audited. The kmod command manages kernel modules which can introduce malicious code.

Rationale

Auditing kmod command usage allows detection of unauthorized kernel module operations that could compromise system security.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281132 / RHEL-10-500460V-258195 / RHEL-09-654105V-230465

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#kmod#kernel