auditd - Collects Information on the Use of Privileged Commands - kmod

tom-krieger / cis_security_hardening

Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.

Apache License 2.0

15 stars 10 forks source link

auditd - Collects Information on the Use of Privileged Commands - kmod #66

Closed warrenbel closed 8 months ago

warrenbel commented 10 months ago

I am getting a failed on this rule. -a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=kernel_modules

CIS RHEL8 Benchmark v2.0.0 page 436 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

warrenbel commented 10 months ago

OpenSCAP Evaluation Report: it appears the "-S all" is causing the fail

tom-krieger commented 8 months ago

Will be fixed in upcoming release.