Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-52839

missing KERN_MODULE audit event when loading already loaded module

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.5
    • kernel / Kernel-Core
    • None
    • Yes
    • Low
    • rhel-sst-kernel-ft
    • ssg_core_kernel
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      On RHEL-9.4 and older when a module that is already loaded is attempted to be loaded again there is audit event logged when the following rule is used (from /usr/share/audit/sample-rules/43-module-load.rules):

      -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load

      The event on 9.4 was as follows (example):

      type=PROCTITLE msg=audit(08/05/2024 06:39:27.455:419) : proctitle=insmod /lib/modules/5.14.0-427.26.1.el9_4.x86_64/kernel/fs/xfs/xfs.ko.xz
type=KERN_MODULE msg=audit(08/05/2024 06:39:27.455:419) : name=xfs
type=SYSCALL msg=audit(08/05/2024 06:39:27.455:419) : arch=x86_64 syscall=init_module success=no exit=EEXIST(File exists) a0=0x7fba65816010 a1=0x520518 a2=0x564d60e04962 a3=0x5 items=0 ppid=7470 pid=7570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=insmod exe=/usr/bin/kmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=module-load

      However, on RHEL-9.5 there is no KERM_MODULE event (only init_module syscall is audited).

      Please provide the package NVR for which bug is seen:

      5.14.0-487.el9

      How reproducible:

      100%

      Steps to reproduce

      1. Enable audit rules and reload the daemon.

      # cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d
# service auditd restart

      2. Make sure xts (or pick any other) module is loaded already and try to load it again (it should fail).

      # insmod /lib/modules/$(uname -r)/kernel/fs/xfs/xfs.ko.xz
insmod: ERROR: could not insert module /lib/modules/5.14.0-487.el9.x86_64/kernel/fs/xfs/xfs.ko.xz: File exists

      3. Check if there is KERN_MODULE audit event.

      ausearch -ts recent -i -sv no -k module-load -m KERN_MODULE

      Expected results

      Event audited:

      type=KERN_MODULE msg=audit(...) : name=xfs

      Actual results

      # ausearch -ts recent -i -sv no -k module-load -m KERN_MODULE
<no matches>

      Additional information

      Syscall is audited correctly:

      # ausearch -ts recent -i -sv no -k module-load
----
type=PROCTITLE msg=audit(08/05/2024 07:23:51.219:437) : proctitle=insmod /lib/modules/5.14.0-487.el9.x86_64/kernel/fs/xfs/xfs.ko.xz
type=SYSCALL msg=audit(08/05/2024 07:23:51.219:437) : arch=x86_64 syscall=init_module success=no exit=EEXIST(File exists) a0=0x7f0471016010 a1=0x54b208 a2=0x563db898c962 a3=0x5 items=0 ppid=7738 pid=7826 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=insmod exe=/usr/bin/kmod subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=module-load

      So we are only missing KERN_MODULE for some reason.

              rhn-support-rbriggs Richard Guy Briggs
              omoris Ondrej Moris
              core-kernel mgr core-kernel mgr
              Zhijun Wang Zhijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: