CCE-96059-1Platform: cpe:/o:suse:suse_linux_enterprise_server:15 | Date: (C)2022-09-27 (M)2023-07-04 |
If the 'auditd' daemon is configured to use the 'augenrules' program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix '.rules' in the directory '/etc/audit/rules.d' to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
If the 'auditd' daemon is configured to use the 'auditctl' utility to read audit
rules during daemon startup, add the following lines to '/etc/audit/audit.rules' file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
Parameter:
[yes/no]
Technical Mechanism:
The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.3 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84481 |