MEDIUM M5: Audit Rules - Kernel Modules P3
Overview
This remediation configures audit rules to monitor kernel module loading and unloading operations, which are critical for detecting rootkit installation attempts.
Settings
| Rule | Description |
|---|---|
delete_module |
Audit kernel module unloading (rmmod) |
finit_module |
Audit kernel module loading (finit) |
init_module |
Audit kernel module loading (init) |
Implementation
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-audit-modules-medium
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/audit/rules.d/75-kernel-modules.rules
mode: 0644
overwrite: true
contents:
inline: |
## Kernel module monitoring
-a always,exit -F arch=b64 -S init_module -S finit_module -k module_load
-a always,exit -F arch=b32 -S init_module -S finit_module -k module_load
-a always,exit -F arch=b64 -S delete_module -k module_unload
-a always,exit -F arch=b32 -S delete_module -k module_unload
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-audit-rules-kernel-module-loading-delete |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-kernel-module-loading-finit |
E8 | 📖 |
rhcos4-e8-worker-audit-rules-kernel-module-loading-init |
E8 | 📖 |
Source Remediation Files
- medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-delete.yaml
- medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-finit.yaml
- medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-init.yaml
Security Impact
Kernel module auditing is essential because:
- Rootkits often install via kernel modules
- Unauthorized modules can bypass security controls
- Module loading should be rare on production systems