Skip to content

Audit#

On disk configuration Run the following script to check the on disk rules: 

#!/usr/bin/env bash
{
awk '/^ *-a *always,exit/ \
&&/ -F *arch=b(32|64)/ \
&&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) \
&&/ -S/ \
&&(/init_module/ \
||/finit_module/ \
||/delete_module/ \
||/create_module/ \
||/query_module/) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules

UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ \
&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \
&&/ -F *auid>=${UID_MIN}/ \
&&/ -F *perm=x/ \
&&/ -F *path=\/usr\/bin\/kmod/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules \
|| printf "ERROR: Variable 'UID_MIN' is unset.\n"
}

Verify the output matches: 

-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

Running configuration Run the following script to check loaded rules: ```bash liennums=1

!/usr/bin/env bash#

{ auditctl -l | awk '/^ -a always,exit/ \ &&/ -F arch=b(32|64)/ \ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) \ &&/ -S/ \ &&(/init_module/ \ ||/finit_module/ \ ||/delete_module/ \ ||/create_module/ \ ||/query_module/) \ &&(/ key= [!-~] $/||/ -k [!-~] *$/)'

UID_MIN=$(awk '/^\sUID_MIN/{print $2}' /etc/login.defs) [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ -a always,exit/ \ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) \ &&/ -F auid>=${UID_MIN}/ \ &&/ -F perm=x/ \ &&/ -F path=\/usr\/bin\/kmod/ \ &&(/ key= [!-~] $/||/ -k [!-~] *$/)" \ || printf "ERROR: Variable 'UID_MIN' is unset.\n" } 

Verify the output includes:
```bash
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules

Symlink audit Run the following script to audit if the symlinks kmod accepts are indeed pointing at it: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/usr/bin/env bash
{
a_files=("/usr/sbin/lsmod" "/usr/sbin/rmmod" "/usr/sbin/insmod" "/usr/sbin/modinfo" "/usr/sbin/modprobe" "/usr/sbin/depmod")
for l_file in "${a_files[@]}"; do
if [ "$(readlink -f "$l_file")" = "$(readlink -f /bin/kmod)" ]; then
printf "OK: \"$l_file\"\n"
else
printf "Issue with symlink for file: \"$l_file\"\n"
fi
done
}
Verify the output states OK. If there is a symlink pointing to a different location it should be investigated.

Remediation#

Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification.

Example: 

1
2
3
4
5
6
7
8
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && printf "
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules
" >> /etc/audit/rules.d/50-kernel_modules.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}

Load audit rules Merge and load the rules into active configuration: 

# augenrules --load

Check if reboot is required. 

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi