Ensure auditd Collects Information on Kernel Module Loading and Unloading






To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:

-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=*ARCH* -S init_module,delete_module -F key=modules

The place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d.

If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules.


The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.


Shell script

The following script can be run on the host to remediate the issue.

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
# it's required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule.
# (See `man 7 audit.rules` for details )
[ "$(getconf LONG\_BIT)" = "32" ] && RULE\_ARCHS=("b32") || RULE\_ARCHS=("b32" "b64")

for ARCH in "${RULE\_ARCHS[@]}"
 PATTERN="-a always,exit -F arch=$ARCH -S init\_module -S delete\_module \(-F key=\|-k \).\*"
 FULL\_RULE="-a always,exit -F arch=$ARCH -S init\_module -S delete\_module -k modules"
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

 fix\_audit\_syscall\_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL\_RULE"
 fix\_audit\_syscall\_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL\_RULE"

# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

fix\_audit\_watch\_rule "auditctl" "/usr/sbin/insmod" "x" "modules"
fix\_audit\_watch\_rule "augenrules" "/usr/sbin/insmod" "x" "modules"

fix\_audit\_watch\_rule "auditctl" "/usr/sbin/rmmod" "x" "modules"
fix\_audit\_watch\_rule "augenrules" "/usr/sbin/rmmod" "x" "modules"

fix\_audit\_watch\_rule "auditctl" "/usr/sbin/modprobe" "x" "modules"
fix\_audit\_watch\_rule "augenrules" "/usr/sbin/modprobe" "x" "modules"


This rule checks for multiple syscalls related to kernel module loading and unloading; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example:

  • audit_rules_kernel_module_loading_insmod
  • audit_rules_kernel_module_loading_rmmod
  • audit_rules_kernel_module_loading_modprobe