Audit#
On disk configuration Run the following script to check the on disk rules:
#!/usr/bin/env bash
{
awk '/^ *-a *always,exit/ \
&&/ -F *arch=b(32|64)/ \
&&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) \
&&/ -S/ \
&&(/init_module/ \
||/finit_module/ \
||/delete_module/ \
||/create_module/ \
||/query_module/) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ \
&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \
&&/ -F *auid>=${UID_MIN}/ \
&&/ -F *perm=x/ \
&&/ -F *path=\/usr\/bin\/kmod/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules \
|| printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
Verify the output matches:
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
Running configuration Run the following script to check loaded rules: ```bash liennums=1
!/usr/bin/env bash#
{ auditctl -l | awk '/^ -a always,exit/ \ &&/ -F arch=b(32|64)/ \ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) \ &&/ -S/ \ &&(/init_module/ \ ||/finit_module/ \ ||/delete_module/ \ ||/create_module/ \ ||/query_module/) \ &&(/ key= [!-~] $/||/ -k [!-~] *$/)'
UID_MIN=$(awk '/^\sUID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ -a always,exit/ \ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) \ &&/ -F auid>=${UID_MIN}/ \ &&/ -F perm=x/ \ &&/ -F path=\/usr\/bin\/kmod/ \ &&(/ key= [!-~] $/||/ -k [!-~] *$/)" \ || printf "ERROR: Variable 'UID_MIN' is unset.\n" }
Verify the output includes:
```bash
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules
Symlink audit Run the following script to audit if the symlinks kmod accepts are indeed pointing at it:
Remediation#
Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification.
Example:
Load audit rules Merge and load the rules into active configuration:
Check if reboot is required.