highauditverified ✓rollback-safe
Audit kernel module loading
audit-kernel-modules · RHEL ≥ 8 · 1 impl
Description
Loading and unloading of kernel modules must be audited. Kernel modules can introduce malicious code with full system privileges.
Rationale
Auditing kernel module operations allows detection of rootkit installation or other kernel-level attacks.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules
- persist_file:
- /etc/audit/rules.d/50-modules.rules
Framework references
CIS
rhel8 6.3.3.19rhel9 6.3.3.19rhel10 6.3.3.31
STIG
V-258189 / RHEL-09-654075V-258190 / RHEL-09-654080V-230438V-230446 / RHEL-08-030390
NIST 800-53
AU-2AU-12CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#kernel#modules