The check for the RHEL7 audit rules for kernel module loading and unloading specifies the following:
-w /usr/sbin/insmod -p x -k modules -w /usr/sbin/rmmod -p x -k modules -w /usr/sbin/modprobe -p x -k modules However, at least on my RHEL7 system, these commands are located in /sbin, not /usr/sbin (as on RHEL6). This is using the latest git zip (can't manage to pull from git since the move to github, for some reason). -- Ray Shaw (Contractor, STG) Army Research Laboratory CISD, Unix Support -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
