← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit access to /sbin/modprobe (Ubuntu)

audit-watch-modprobe · UBUNTU ≥ 22 · 1 impl

Description

Modifications to /sbin/modprobe must generate an audit record so that kernel module loads can be traced to an individual.

Rationale

Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /sbin/modprobe -p x -k modules
Remediateaudit_rule_set
rule:
-w /sbin/modprobe -p x -k modules
persist_file:
/etc/audit/rules.d/50-watch-modprobe.rules

Framework references

STIG

V-270813 / UBTU-24-900730V-260614 / UBTU-22-654060

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#watch