EDR: Is Linux sensor kernel module signed?
search cancel

EDR: Is Linux sensor kernel module signed?


Article ID: 289540


Updated On:


Carbon Black EDR (formerly Cb Response)


Is the Linux sensor kernel module signed?


  • EDR Linux sensor: All versions
  • Linux: All versions


Signing the kernel module is currently not on the roadmap.

The sensor package itself is signed, so once you extract the kernel module from that package you can generate a hash on the module and use that to check whether the module has been tampered with. Starting with the 7.1.0-lnx sensor there will also be a manifest that will have the hashes of all components in the package.

If a customer wants to use the EDR kernel module with Secure Boot they can use the procedure documented at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel for now to self-sign the module.