pcmoore
commented
7 years ago See related issue https://github.com/linux-audit/audit-kernel/issues/7
Closed stevegrubb closed 7 years ago
pcmoore
commented
7 years ago See related issue https://github.com/linux-audit/audit-kernel/issues/7
pcmoore
commented
7 years ago @rgbriggs I'm assigning this to you since you handled issue #7, if you have any objection let me know.
pcmoore
commented
7 years ago We also should remember to update the existing feature page: https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-Format
rgbriggs
commented
7 years ago Here's an augmented test for ghak7 to test the delete case too. https://github.com/linux-audit/audit-testsuite/pull/46
rgbriggs
commented
7 years ago Updated RFE to include this issue.
rgbriggs
commented
7 years ago Patch posted upstream: https://www.redhat.com/archives/linux-audit/2017-March/msg00071.html
pcmoore
commented
7 years ago The patch seems reasonable (it's only one line after all), but some additional information is needed in the commit message (see the on-list discussion).
pcmoore
commented
7 years ago Merged via f68d952c918489ee3f8f1270954fd797bdf5b905.
The DISA STIG calls out for auditing both loading and unload kernel modules:
http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/ssg-rhel7-guide-stig-rhel7-server-upstream.html#xccdf_org.ssgproject.content_group_auditing
We need the module name when delete_module is an auditable event.
Thanks