From dee817f1c269af840614ae329d7403a02dfa16c8 Mon Sep 17 00:00:00 2001
From: pyllyukko <pyllyukko@maimed.org>
Date: Thu, 14 Nov 2024 19:36:15 +0200
Subject: [PATCH] Audit: Added modules.rules.new to complement
 43-module-load.rules

---
 newconfs/rules.d/modules.rules.new | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 newconfs/rules.d/modules.rules.new

diff --git a/newconfs/rules.d/modules.rules.new b/newconfs/rules.d/modules.rules.new
new file mode 100644
index 0000000..2f7dc20
--- /dev/null
+++ b/newconfs/rules.d/modules.rules.new
@@ -0,0 +1,12 @@
+# CIS Distribution Independent Linux v2.0.0 - 07-16-2019 4.1.18 Ensure kernel module loading and unloading is collected
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+
+# CIS Debian Linux 12 Benchmark v1.1.0 - 09-26-2024 6.2.3.19 Ensure kernel module loading unloading and modification is collected
+# init_module, finit_module & delete_module are covered in 43-module-load.rules
+-a always,exit -F arch=b64 -S create_module,query_module -F auid>=1000 -F auid!=-1 -F key=kernel_modules
+# Debian
+-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules
+# Slackware
+-a always,exit -S all -F path=/sbin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules