35748 Ensure kernel module loading unloading and modification is collected
24 views
Skip to first unread message
Paulo Ricardo Bruck
Sep 7, 2025, 9:14:09 AM (yesterday) Sep 7
to Wazuh | Mailing List
Hi
Ubuntu 24.04 ands wazuh 4.12.0-1
At my dashboard this rule is marked as failed.
my rule:
# cat /etc/audit/rules.d/50-kernel_modules.rules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset
-k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset
-k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
tests:
# grep UID_MIN /etc/login.defs
UID_MIN 1000
UID_MIN 1000
# auditctl -l | grep kernel
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F
key=kernel_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F
key=kernel_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules
Checks (Condition: all)
c:auditctl -l -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
c:auditctl -l -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
d:/etc/audit/rules.d -> r:\.+.rules$ -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
d:/etc/audit/rules.d -> r:\.+.rules$ -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
c:auditctl -l -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
c:auditctl -l -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
d:/etc/audit/rules.d -> r:\.+.rules$ -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
d:/etc/audit/rules.d -> r:\.+.rules$ -> r:-k kernel_modules|-F key=kernel_modules && r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=unset|-F auid!=-1
Humm lets take first one:
c:auditctl -l -> r
-k kernel_modules|-F key=kernel_modules
-a
always,exit|exit,always
-F arch=b64
-S
init_module
finit_module
delete_module
create_module
query_module
-F auid>=\d+
-F auid!=unset|-F auid!=-1
lets take my auditctl -l :
-a ok
always,exit ok
-F arch=b64 ok
-S ok
create_module, ok
init_module, ok
delete_module, ok
query_module, ok
finit_module ok
-F auid>=1000 , <---- not sure
-F auid!=-1 ok
-F key=kernel_modules ok
Where is wrong?
Is there another local where I can debug this rules?
best regards
Bony V John
1:58 AM (10 hours ago) 1:58 AM
to Wazuh | Mailing List
Hi,
I have tested this SCA check in my environment, and this rule failed for me as well. The reason is that SCA validates the file content directly, and in your case the syscall rule is split across two lines in /etc/audit/rules.d/50-kernel_modules.rules. The SCA regex expects all required tokens (including the key) to be on the same line, but your file shows:
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset
-k kernel_modules <-- on a new line
Although auditctl -l correctly shows -F key=kernel_modules (meaning the rule is loaded fine), the file-level checks (d:/etc/audit/rules.d -> ...) don’t match because -k isn’t on the same line as the syscall rule.
To resolve this issue, ensure everything is on a single line. You can replace the content of /etc/audit/rules.d/50-kernel_modules.rules with the following (covers both ABIs and kmod execution). Keep the key name exactly as shown:
sudo tee /etc/audit/rules.d/50-kernel_modules.rules >/dev/null <<'EOF'
# Kernel module syscalls (both ABIs)
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unset -k kernel_modules
# Executions via kmod wrapper
# Kernel module syscalls (both ABIs)
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unset -k kernel_modules
# Executions via kmod wrapper
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
# (Optional, harmless; some policies also look for these tools)
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /usr/sbin/insmod -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/rmmod -p x -k kernel_modules
EOF
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /usr/sbin/insmod -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/rmmod -p x -k kernel_modules
EOF
Reload the rules:
sudo augenrules --load
Verify they match the SCA regex:
sudo auditctl -l | sed 's/ \+/\ /g' | grep -E 'kernel_modules|init_module|finit_module|delete_module|create_module|query_module|/usr/bin/kmod'
Then restart thew Wazuh agent to re-run the SCA scan again:
systemctl restart wazuh-agent
After some time check your Wazuh Configuration Assessment dashboard for checking the SCA status.
After applying the above, the SCA check passed successfully in my tests. I’ve attached a screenshot of my validation for reference.
For more details, you can also refer to the Wazuh SCA documentation.
Paulo Ricardo Bruck
10:11 AM (2 hours ago) 10:11 AM
to Bony V John, Wazuh | Mailing List
Hi Bony
Thanks for reply.
But , unfortunately, gmail cut the line showing rule.
See below: line is not separate :
# auditctl -l
...
...
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel
_modules
-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules
# cat /etc/audit/rules.d/50-kernel_modules.rules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel
_modules
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel
_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
You can check images attached...
I also follow your advice, but is still marking as failed..
root@pauloric:/etc/audit/rules.d# cat /etc/audit/rules.d/50-kernel_modules.rules
# Kernel module syscalls (both ABIs)
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unse
t -k kernel_modules
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unse
t -k kernel_modules
# Executions via kmod wrapper
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
# (Optional, harmless; some policies also look for these tools)
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /usr/sbin/insmod -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/rmmod -p x -k kernel_modules
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unse
t -k kernel_modules
-a always,exit -F arch=b32 -S init_module -S finit_module -S delete_module -S create_module -S query_module -F auid>=1000 -F auid!=unse
t -k kernel_modules
# Executions via kmod wrapper
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
# (Optional, harmless; some policies also look for these tools)
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /usr/sbin/insmod -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/rmmod -p x -k kernel_modules
root@pauloric:/etc/audit/rules.d# augenrules --load
/usr/sbin/augenrules: No change
root@pauloric:/etc/audit/rules.d# augenrules --check
/usr/sbin/augenrules: No change
root@pauloric:/etc/audit/rules.d# auditctl -l
....
/usr/sbin/augenrules: No change
root@pauloric:/etc/audit/rules.d# augenrules --check
/usr/sbin/augenrules: No change
root@pauloric:/etc/audit/rules.d# auditctl -l
....
-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel
_modules
-a always,exit -F arch=b32 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel
_modules
......
root@pauloric:/etc/audit/rules.d# systemctl restart wazuh-agent.service
_modules
......
root@pauloric:/etc/audit/rules.d# systemctl restart wazuh-agent.service
I also copy the 50-kernel_modules.rules file attached...
Best regards
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/eoT_6fSHPcU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/3f953c48-78f0-4d04-a7b6-965065485958n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages