-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.6
-
None
-
No
-
Low
-
rhel-security-compliance
-
1
-
False
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
As per CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0 specification, "Ensure kernel module loading unloading and modification is collected" doesn't make a distinction between create_module, delete_module, etc.
The script on page 886 doesn't make a difference between those and checks that -F auid!=unset or -F auid!=-1, etc is found.
But for some reason our implementation for create_module only is not checking these options.
See below a partial diff of the implementation:
$ diff -u ./linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/oval/shared.xml ./linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml [...] - <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern> + {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}} + <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern> + {{% else %}} + <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern> [...]
Here above delete_module has pattern matching for -F auid!=unset for example, but not create_module.
