Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-52839

missing KERN_MODULE audit event when loading already loaded module

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • kernel-5.14.0-607.el9
    • Yes
    • Low
    • rhel-kernel-security
    • ssg_core_kernel
    • 24
    • 25
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Unspecified Release Note Type - Unknown
    • All
    • None
    • Merge Request passes all submitter checks, Merge Request finished CI testing, Merge Request passed CI testing, Merge Request approved by peer review

      What were you trying to do that didn't work?

      On RHEL-9.4 and older when a module that is already loaded is attempted to be loaded again there is audit event logged when the following rule is used (from /usr/share/audit/sample-rules/43-module-load.rules):

      -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
      

      The event on 9.4 was as follows (example):

      type=PROCTITLE msg=audit(08/05/2024 06:39:27.455:419) : proctitle=insmod /lib/modules/5.14.0-427.26.1.el9_4.x86_64/kernel/fs/xfs/xfs.ko.xz
      type=KERN_MODULE msg=audit(08/05/2024 06:39:27.455:419) : name=xfs
      type=SYSCALL msg=audit(08/05/2024 06:39:27.455:419) : arch=x86_64 syscall=init_module success=no exit=EEXIST(File exists) a0=0x7fba65816010 a1=0x520518 a2=0x564d60e04962 a3=0x5 items=0 ppid=7470 pid=7570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=insmod exe=/usr/bin/kmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=module-load
      

      However, on RHEL-9.5 there is no KERM_MODULE event (only init_module syscall is audited).

      Please provide the package NVR for which bug is seen:

      5.14.0-487.el9

      How reproducible:

      100%

      Steps to reproduce

      1. Enable audit rules and reload the daemon.

      # cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d
      # service auditd restart
      

      2. Make sure xts (or pick any other) module is loaded already and try to load it again (it should fail).

      # insmod /lib/modules/$(uname -r)/kernel/fs/xfs/xfs.ko.xz
      insmod: ERROR: could not insert module /lib/modules/5.14.0-487.el9.x86_64/kernel/fs/xfs/xfs.ko.xz: File exists
      

      3. Check if there is KERN_MODULE audit event.

      ausearch -ts recent -i -sv no -k module-load -m KERN_MODULE
      

      Expected results

      Event audited:

      type=KERN_MODULE msg=audit(...) : name=xfs
      

      Actual results

      # ausearch -ts recent -i -sv no -k module-load -m KERN_MODULE
      <no matches>
      
      

      Additional information

      Syscall is audited correctly:

      # ausearch -ts recent -i -sv no -k module-load
      ----
      type=PROCTITLE msg=audit(08/05/2024 07:23:51.219:437) : proctitle=insmod /lib/modules/5.14.0-487.el9.x86_64/kernel/fs/xfs/xfs.ko.xz
      type=SYSCALL msg=audit(08/05/2024 07:23:51.219:437) : arch=x86_64 syscall=init_module success=no exit=EEXIST(File exists) a0=0x7f0471016010 a1=0x54b208 a2=0x563db898c962 a3=0x5 items=0 ppid=7738 pid=7826 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=insmod exe=/usr/bin/kmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=module-load
      

      So we are only missing KERN_MODULE for some reason.

              rhn-support-rbriggs Richard Guy Briggs
              omoris Ondrej Moris
              Richard Guy Briggs Richard Guy Briggs
              Zhijun Wang Zhijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: