Bug 2209657

Summary: More complete CIS kernel module related remediation
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: VERIFIED --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: ggasparb, jcerny, jjaburek, mhaicman, mlysonek, openscap-maint, vpolasek
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2023-05-24 11:59:08 UTC 
Description of problem:
CIS RHEL 9 Benchmark 1.0.0 PDF states that kernel module loading, unloading, and modification should be monitored and lists the following system calls:

init_module, finit_module, delete_module, create_module, query_module

scap-security-guide-0.1.66-1.el9_1 only creates the following:

# grep -ri _module /etc/audit/rules.d/
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S delete_module -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S delete_module -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S init_module -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S init_module -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -F key=modules
/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -F key=modules

It looks at least for CIS oscap should configure additional system calls to be monitored. Thanks.
Comment 1 Vojtech Polasek 2023-05-25 08:32:14 UTC 
Hello Marko,
I have good news for you - this has been already fixed upstream. The main part is here:
https://github.com/ComplianceAsCode/content/pull/10491
So it will be part of one of future releases.
Comment 2 Marko Myllynen 2023-05-25 08:44:36 UTC 
That's good news indeed, thanks for sharing!