-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
None
-
kernel-5.14.0-607.el9
-
Yes
-
Low
-
rhel-kernel-security
-
ssg_core_kernel
-
24
-
25
-
3
-
False
-
False
-
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
-
Merge Request passes all submitter checks, Merge Request finished CI testing, Merge Request passed CI testing, Merge Request approved by peer review
What were you trying to do that didn't work?
On RHEL-9.4 and older when a module that is already loaded is attempted to be loaded again there is audit event logged when the following rule is used (from /usr/share/audit/sample-rules/43-module-load.rules):
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
The event on 9.4 was as follows (example):
type=PROCTITLE msg=audit(08/05/2024 06:39:27.455:419) : proctitle=insmod /lib/modules/5.14.0-427.26.1.el9_4.x86_64/kernel/fs/xfs/xfs.ko.xz type=KERN_MODULE msg=audit(08/05/2024 06:39:27.455:419) : name=xfs type=SYSCALL msg=audit(08/05/2024 06:39:27.455:419) : arch=x86_64 syscall=init_module success=no exit=EEXIST(File exists) a0=0x7fba65816010 a1=0x520518 a2=0x564d60e04962 a3=0x5 items=0 ppid=7470 pid=7570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=insmod exe=/usr/bin/kmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=module-load
However, on RHEL-9.5 there is no KERM_MODULE event (only init_module syscall is audited).
Please provide the package NVR for which bug is seen:
5.14.0-487.el9
How reproducible:
100%
Steps to reproduce
1. Enable audit rules and reload the daemon.
# cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d # service auditd restart
2. Make sure xts (or pick any other) module is loaded already and try to load it again (it should fail).
# insmod /lib/modules/$(uname -r)/kernel/fs/xfs/xfs.ko.xz insmod: ERROR: could not insert module /lib/modules/5.14.0-487.el9.x86_64/kernel/fs/xfs/xfs.ko.xz: File exists
3. Check if there is KERN_MODULE audit event.
ausearch -ts recent -i -sv no -k module-load -m KERN_MODULE
Expected results
Event audited:
type=KERN_MODULE msg=audit(...) : name=xfs
Actual results
# ausearch -ts recent -i -sv no -k module-load -m KERN_MODULE <no matches>
Additional information
Syscall is audited correctly:
# ausearch -ts recent -i -sv no -k module-load ---- type=PROCTITLE msg=audit(08/05/2024 07:23:51.219:437) : proctitle=insmod /lib/modules/5.14.0-487.el9.x86_64/kernel/fs/xfs/xfs.ko.xz type=SYSCALL msg=audit(08/05/2024 07:23:51.219:437) : arch=x86_64 syscall=init_module success=no exit=EEXIST(File exists) a0=0x7f0471016010 a1=0x54b208 a2=0x563db898c962 a3=0x5 items=0 ppid=7738 pid=7826 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=insmod exe=/usr/bin/kmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=module-load
So we are only missing KERN_MODULE for some reason.
- links to
-
RHSA-2025:146839 kernel bug fix and enhancement update