mediumauditverified ✓rollback-safe
Audit uses of the kmod command
audit-cmd-kmod · RHEL ≥ 8 · 1 impl
Description
All uses of the kmod command must be audited. The kmod command manages kernel modules which can introduce malicious code.
Rationale
Auditing kmod command usage allows detection of unauthorized kernel module operations that could compromise system security.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281132 / RHEL-10-500460V-258195 / RHEL-09-654105V-230465
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#kmod#kernel