35748 Ensure kernel module loading unloading and modification is collected

[Paulo Ricardo Bruck]

Hi

Ubuntu 24.04 ands wazuh 4.12.0-1

At my dashboard this rule is marked as failed.

my rule:

# cat /etc/audit/rules.d/50-kernel_modules.rules  
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset
-k kernel_modules  
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

tests:

# grep UID_MIN /etc/login.defs
UID_MIN                  1000

# auditctl -l | grep kernel
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F
key=kernel_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules

Checks (Condition: all)
c:auditctl -l -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
c:auditctl -l -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
d:/etc/audit/rules.d -> r:\.+.rules$ -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
d:/etc/audit/rules.d -> r:\.+.rules$ -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1

Humm lets take first one:

c:auditctl -l -> r

-k kernel_modules|-F key=kernel_modules 

-a 

always,exit|exit,always 

-F arch=b64 

-S 

init_module 

finit_module 

delete_module 

create_module 

query_module 

-F auid>=\d+ 

-F auid!=unset|-F auid!=-1

lets take my auditctl -l :

-a   ok

always,exit ok

-F arch=b64 ok

-S ok

create_module, ok

init_module, ok

delete_module, ok

query_module, ok

finit_module ok

-F auid>=1000 , <---- not sure

-F auid!=-1 ok

-F key=kernel_modules ok

Where is wrong?

Is there another local where I can debug this rules?

best regards

[Bony V John]

Hi,

I have tested this SCA check in my environment, and this rule failed for me as well. The reason is that SCA validates the file content directly, and in your case the syscall rule is split across two lines in /etc/audit/rules.d/50-kernel_modules.rules. The SCA regex expects all required tokens (including the key) to be on the same line, but your file shows:

-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset

-k kernel_modules       <-- on a new line

Although auditctl -l correctly shows -F key=kernel_modules (meaning the rule is loaded fine), the file-level checks (d:/etc/audit/rules.d -> ...) don’t match because -k isn’t on the same line as the syscall rule. 

To resolve this issue, ensure everything is on a single line. You can replace the content of /etc/audit/rules.d/50-kernel_modules.rules with the following (covers both ABIs and kmod execution). Keep the key name exactly as shown:

 

sudo tee /etc/audit/rules.d/50-kernel_modules.rules >/dev/null <<'EOF'
# Kernel module syscalls (both ABIs)
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unset -k kernel_modules

# Executions via kmod wrapper

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

# (Optional, harmless; some policies also look for these tools)
-w /sbin/insmod   -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-w /sbin/rmmod    -p x -k kernel_modules
-w /usr/sbin/insmod   -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/rmmod    -p x -k kernel_modules
EOF

Reload the rules:

sudo augenrules --load

Verify they match the SCA regex:

sudo auditctl -l | sed 's/  \+/\ /g' | grep -E 'kernel_modules|init_module|finit_module|delete_module|create_module|query_module|/usr/bin/kmod'

Then restart thew Wazuh agent to re-run the SCA scan again:

systemctl restart wazuh-agent

After some time check your Wazuh Configuration Assessment dashboard for checking the SCA status.

After applying the above, the SCA check passed successfully in my tests. I’ve attached a screenshot of my validation for reference.

For more details, you can also refer to the Wazuh SCA documentation.

[Paulo Ricardo Bruck]

Hi Bony

Thanks for reply.

But , unfortunately, gmail cut the line showing rule.

See below: line is not separate :

# auditctl -l
...

-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel
_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules

# cat /etc/audit/rules.d/50-kernel_modules.rules  
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel
_modules  

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

You can check images attached...

I also follow your advice, but is still marking as failed..

root@pauloric:/etc/audit/rules.d# cat /etc/audit/rules.d/50-kernel_modules.rules

# Kernel module syscalls (both ABIs)
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unse
t -k kernel_modules
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unse
t -k kernel_modules

# Executions via kmod wrapper
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules

# (Optional, harmless; some policies also look for these tools)
-w /sbin/insmod   -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-w /sbin/rmmod    -p x -k kernel_modules
-w /usr/sbin/insmod   -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/rmmod    -p x -k kernel_modules

root@pauloric:/etc/audit/rules.d# augenrules --load
/usr/sbin/augenrules: No change
root@pauloric:/etc/audit/rules.d# augenrules --check
/usr/sbin/augenrules: No change
root@pauloric:/etc/audit/rules.d# auditctl -l
....

-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel
_modules

-a always,exit -F arch=b32 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel
_modules
......
root@pauloric:/etc/audit/rules.d# systemctl restart wazuh-agent.service 

I also copy the 50-kernel_modules.rules file attached...

Best regards

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/eoT_6fSHPcU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/3f953c48-78f0-4d04-a7b6-965065485958n%40googlegroups.com.

--

Paulo Ricardo Bruck 

011 98140-9184 (Whatsup/vivo)

011 94184-3433 (vivo)

[Paulo Ricardo Bruck]

Humm I think I discover some erros...

Almost at all audit  Remediation rules I see:

Example: # printf " -a

There is a space betwen " and -a  . After removing this space from all rules now almost of them are passed....

Thanks in advanced

[Bony V John]

Hi,

The issue you are facing may be due to the new audit rules not being loaded properly, causing the system to still use old rules. To resolve this, please follow the steps below for a clean rules reload:  

On your Linux, run the below command and confirm it is set to no immutable lock:

auditctl -s | grep -E 'enabled|locked'

It should show enabled = 1.
If you see locked = 1 (immutable), find and comment out "-e 2", then reboot:  

sudo grep -Rni --color=always '^-e[[:space:]]*2' /etc/audit/audit.rules /etc/audit/rules.d || true

Edit the file that contains -e 2 -> comment it, then:
sudo reboot

After that search for any conflicting old kmod rules:

sudo grep -Rni --color=always -E 'kmod|-S all .*path=' /etc/audit/rules.d /etc/audit/audit.rules || true

If found, edit any hits and DELETE lines like:

 -a always,exit -S all -F path=/usr/bin/kmod

This is your old rule which was not matching with the SCA rules.

Then force write a clean rules file:

sudo tee /etc/audit/rules.d/50-kernel_modules.rules >/dev/null <<'EOF'

# Kernel module syscalls (x86_64 ABI)
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=-1 -k kernel_modules

# 32-bit ABI (optional)
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=-1 -k kernel_modules

# Executions via kmod wrapper (REQUIRED by SCA)
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
EOF

Then ensure augenrules is actually used:

grep -E '^\s*USE_AUGENRULES' /etc/default/auditd || true

If not "USE_AUGENRULES="yes", set it to yes and restart auditd:
sudo systemctl restart auditd

Now clear live rules and rebuild /etc/audit/audit.rules from rules.d:  
sudo auditctl -D
sudo augenrules --load

Verify it compiled correctly:

sed -n '1,200p' /etc/audit/audit.rules

Then restart the Wazuh agent to re-run the SCA scan again and wait for some time to update it on the Wazuh dashboard:

systemctl restart wazuh-agent

If the issue persists, please share the full output of the below commands with us:

COLUMNS=1000 auditctl -l
sed -n '1,200p' /etc/audit/audit.rules
sudo grep -Rni --color=always 'kmod' /etc/audit/rules.d /etc/audit/audit.rules

I have verified these steps again on my end and it is working fine as before.