On 07/10/2015 02:40 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
The check for the RHEL7 audit rules for kernel module loading and unloading
specifies the following:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
However, at least on my RHEL7 system, these commands are located in /sbin, not
/usr/sbin (as on RHEL6). This is using the latest git zip (can't manage to
pull from git since the move to github, for some reason).
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CISD, Unix Support
/sbin is a symlink to /usr/sbin on my RHEL 7 system, and the binaries
you mention are still located in /usr/sbin as before:
$ ls -ld /sbin
lrwxrwxrwx. 1 root root 8 Jun 25 2014 /sbin -> usr/sbin/
$ which insmod
/usr/sbin/insmod
$ which rmmod
/usr/sbin/rmmod
$ which modprobe
/usr/sbin/modprobe
Can you check if your /sbin is a symlink or a real directory?
- Maura Dailey
[email protected]
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
