From cb592a62fa0625e45d8ea0880f3c92ab89765bd2 Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Mon, 22 Oct 2018 03:16:02 +0800
Subject: [PATCH] Add syscall create_module and finit_module to audit.rules

---
 bin/hardening/8.1.17_record_kernel_modules.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh
index c5ab71c..ef26e93 100755
--- a/bin/hardening/8.1.17_record_kernel_modules.sh
+++ b/bin/hardening/8.1.17_record_kernel_modules.sh
@@ -16,7 +16,9 @@ HARDENING_LEVEL=4
 AUDIT_PARAMS='-w /sbin/insmod -p x -k modules 
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
--a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
+-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
+-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules'
+
 FILE='/etc/audit/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode