Description of problem: CIS RHEL 9 Benchmark 1.0.0 PDF states that kernel module loading, unloading, and modification should be monitored and lists the following system calls: init_module, finit_module, delete_module, create_module, query_module scap-security-guide-0.1.66-1.el9_1 only creates the following: # grep -ri _module /etc/audit/rules.d/ /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S delete_module -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S delete_module -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S init_module -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S init_module -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -F key=modules /etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -F key=modules It looks at least for CIS oscap should configure additional system calls to be monitored. Thanks.
Hello Marko, I have good news for you - this has been already fixed upstream. The main part is here: https://github.com/ComplianceAsCode/content/pull/10491 So it will be part of one of future releases.
That's good news indeed, thanks for sharing!