The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22383	GEN002825	SV-38858r1_rule	ECAR-1	Medium

Description
Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used to substantially alter the functioning of a system, often with the purpose of hiding a compromise from the SA.

STIG	Date
Draft AIX Security Technical Implementation Guide	2011-08-17

Details

Check Text ( C-37850r1_chk )
Determine if the system is configured to audit the loading and unloading of dynamic kernel modules. Check the system's audit configuration. # more /etc/security/audit/events Confirm the following events are configured: DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove. If any of these events are not configured, this is a finding. Check the File DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove. Audit events are defined in the audit classes stanza classes: of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are associated with. If the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are not associated with any audit classes in the classes: stanza this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. #more /etc/security/audit/config If the class(es) that the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are not associated with the default user and all the system users in the users: stanza, this is a finding.

Check Text ( C-37850r1_chk )

Determine if the system is configured to audit the loading and unloading of dynamic kernel modules.

Check the system's audit configuration.
# more /etc/security/audit/events
Confirm the following events are configured:
DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove.
If any of these events are not configured, this is a finding.

Check the File DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove. Audit events are defined in the audit classes stanza classes: of the /etc/security/audit/config file.
#more /etc/security/audit/config
Make note of the audit class(es) the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are associated with.

If the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are not associated with any audit classes in the classes: stanza this is a finding.

Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file.

#more /etc/security/audit/config
If the class(es) that the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events are not associated with the default user and all the system users in the users: stanza, this is a finding.

Fix Text (F-33113r1_fix)
Configure the system to audit the loading and unloading of dynamic kernel modules. Edit /etc/security/audit/events and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events to the list of audited events. Edit /etc/security/audit/config and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes that has the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure and DEV_Remove events to the all users listed in the ‘users:’ stanza.

Fix Text (F-33113r1_fix)

Configure the system to audit the loading and unloading of dynamic kernel modules.

Edit /etc/security/audit/events and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove events to the list of audited events.

Edit /etc/security/audit/config and add the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure, and DEV_Remove audit events to an audit class in the classes: stanza.

Edit the /etc/security/audit/config and assign the audit classes that has the DEV_Create, FILE_Mknod, DEV_Configure, DEV_Stop, DEV_Unconfigure and DEV_Remove events to the all users listed in the ‘users:’ stanza.