← Rules Catalog
highauditverified rollback-safe

Audit kernel module loading

audit-kernel-modules · RHEL ≥ 8 · 1 impl

Description

Loading and unloading of kernel modules must be audited. Kernel modules can introduce malicious code with full system privileges.

Rationale

Auditing kernel module operations allows detection of rootkit installation or other kernel-level attacks.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules
persist_file:
/etc/audit/rules.d/50-modules.rules

Framework references

CIS

rhel8 6.3.3.19rhel9 6.3.3.19rhel10 6.3.3.31

STIG

V-258189 / RHEL-09-654075V-258190 / RHEL-09-654080V-230438V-230446 / RHEL-08-030390

NIST 800-53

AU-2AU-12CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#kernel#modules