Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22383 | GEN002825 | SV-38858r1_rule | ECAR-1 | Medium |
Description |
---|
Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA. |
STIG | Date |
---|---|
AIX 5.3 SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2014-10-03 |
Check Text ( C-37850r1_chk ) |
---|
Determine if the system is configured to audit the loading and unloading of dynamic kernel modules. Check the system's audit configuration. # more /etc/security/audit/events Confirm the following events are configured: DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove. If any of these events are not configured, this is a finding. Check the File DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove. Audit events are defined in the audit classes stanza classes: of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are associated with. If the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are not associated with any audit classes in the classes: stanza, this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. #more /etc/security/audit/config If the class(es) that the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are not associated with the default user and all the system users in the users: stanza, this is a finding. |
Fix Text (F-33113r1_fix) |
---|
Configure the system to audit the loading and unloading of dynamic kernel modules. Edit /etc/security/audit/events and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events to the list of audited events. Edit /etc/security/audit/config and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes that has the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure and DEV_Remove events to the all users listed in the 'users:' stanza. |