MEDIUM M5: Audit Rules - Kernel Modules P3

🟡 Pending 📦 Compare Branch

Overview

This remediation configures audit rules to monitor kernel module loading and unloading operations, which are critical for detecting rootkit installation attempts.

Settings

Rule	Description
`delete_module`	Audit kernel module unloading (rmmod)
`finit_module`	Audit kernel module loading (finit)
`init_module`	Audit kernel module loading (init)

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-audit-modules-medium
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/audit/rules.d/75-kernel-modules.rules
          mode: 0644
          overwrite: true
          contents:
            inline: |
              ## Kernel module monitoring
              -a always,exit -F arch=b64 -S init_module -S finit_module -k module_load
              -a always,exit -F arch=b32 -S init_module -S finit_module -k module_load
              -a always,exit -F arch=b64 -S delete_module -k module_unload
              -a always,exit -F arch=b32 -S delete_module -k module_unload

Compliance Checks Remediated

Check	Profile	Docs
`rhcos4-e8-worker-audit-rules-kernel-module-loading-delete`	E8	📖
`rhcos4-e8-worker-audit-rules-kernel-module-loading-finit`	E8	📖
`rhcos4-e8-worker-audit-rules-kernel-module-loading-init`	E8	📖

Source Remediation Files

medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-delete.yaml
medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-finit.yaml
medium/rhcos4-e8-worker-audit-rules-kernel-module-loading-init.yaml

Security Impact

Kernel module auditing is essential because:

Rootkits often install via kernel modules
Unauthorized modules can bypass security controls
Module loading should be rare on production systems

← M4 All Groups M6 →