On Friday, July 10, 2015 06:40:52 PM Shaw, Ray V CTR USARMY ARL wrote: > The check for the RHEL7 audit rules for kernel module loading and unloading > specifies the following: > > -w /usr/sbin/insmod -p x -k modules > -w /usr/sbin/rmmod -p x -k modules > -w /usr/sbin/modprobe -p x -k modules > > However, at least on my RHEL7 system, these commands are located in /sbin, > not /usr/sbin (as on RHEL6).
/sbin should be a symlink to /usr/sbin More info: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Migration_Planning_Guide/sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-File_System_Layout.html > This is using the latest git zip (can't manage to pull from git since the > move to github, for some reason). Check to see if /usr/sbin/insmod exists. Maybe the PATH variable has directories in the wrong order and it resolves the symlink first? Either way, the audit system should be smart enough to figure this out because it resolves to the same inode. -Steve -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
