SV-221823r603260_rule
V-221823
SRG-OS-000471-GPOS-00216
OL07-00-030830
CAT II
10
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur.
Add or update the following rules in "/etc/audit/rules.d/audit.rules":
Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.
-a always,exit -F arch=b32 -S delete_module -k module-change
-a always,exit -F arch=b64 -S delete_module -k module-change
The audit daemon must be restarted for the changes to take effect.
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur.
Check the auditing rules in "/etc/audit/audit.rules" with the following command:
Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.
# grep -iw delete_module /etc/audit/audit.rules
-a always,exit -F arch=b32 -S delete_module -k module-change
-a always,exit -F arch=b64 -S delete_module -k module-change
If there are no audit rules defined for "delete_module", this is a finding.
V-221823
False
OL07-00-030830
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur.
Check the auditing rules in "/etc/audit/audit.rules" with the following command:
Note: The output lines of the command are duplicated to cover both 32-bit and 64-bit architectures. Only the line appropriate for the system architecture must be present.
# grep -iw delete_module /etc/audit/audit.rules
-a always,exit -F arch=b32 -S delete_module -k module-change
-a always,exit -F arch=b64 -S delete_module -k module-change
If there are no audit rules defined for "delete_module", this is a finding.
M
4089