Initial commit

[ta/infra-ansible.git] / roles / audit / templates / 43-module-load.rules.j2

diff --git a/roles/audit/templates/43-module-load.rules.j2 b/roles/audit/templates/43-module-load.rules.j2
new file mode 100644 (file)
index 0000000..8c266f5
--- /dev/null
+++ b/roles/audit/templates/43-module-load.rules.j2
@@ -0,0 +1,6 @@
+## These rules watch for kernel module insertion
+-w /usr/sbin/insmod -p x -k modules
+-w /usr/sbin/rmmod -p x -k modules
+-w /usr/sbin/modprobe -p x -k modules
+-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -S kexec_file_load -S kexec_load -k modules
+-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules