Kernel Module Removaledit

Identifies attempts to remove a kernel module. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100



  • Elastic
  • Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Potential false positivesedit

There is usually no reason to remove modules, but some buggy modules require removal. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.

Rule queryedit

event.action:executed and process.args:(rmmod and sudo or modprobe and
sudo and ("--remove" or "-r"))

Threat mappingedit