Comments

327 Comments

+1

Works on Fedora 31.

rpm -q audit

audit-3.0-0.15.20191104git1c2f876.fc31.x86_64

cat /usr/share/audit/sample-rules/43-module-load.rules

These rules watch for kernel module insertion. By monitoring

the syscall, we do not need any watches on programs.

-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload

cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d

sed -i 's/RefuseManualStop=yes/## &/' /usr/lib/systemd/system/auditd.service

systemctl daemon-reload

systemctl restart auditd

lsmod | grep dm_thin_pool

modprobe dm_thin_pool

lsmod | grep dm_thin_pool

dm_thin_pool 86016 0 dm_persistent_data 94208 1 dm_thin_pool dm_bio_prison 20480 1 dm_thin_pool

rmmod dm_thin_pool

lsmod | grep dm_thin_pool

...

ausearch --start today -k module --raw | aureport --key --summary

Key Summary Report

total key

6 module-load 6 module-unload

BZ#1738873 43-module-load.rules does not seem to enable kernel module operation auditing
karma

Works

This update has been unpushed.

This update has been unpushed.

This update has been unpushed.

This update has been unpushed.

karma

Hello

I don't know why but it has been built with the wrong libprelude. the buildroot is reset. Can you rebuild suricata ?

Regards

BZ#1730284 Need recompile : libprelude new version 5.0 soname bump
BZ#1725305 cppcheck-1.88 is available

Works here.

karma

Works