EDR: Is Linux sensor kernel module signed?
Article ID: 289540
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Is the Linux sensor kernel module signed?
Environment
- EDR Linux sensor: All versions
- Linux: All versions
Resolution
Signing the kernel module is currently not on the roadmap.
The sensor package itself is signed, so once you extract the kernel module from that package you can generate a hash on the module and use that to check whether the module has been tampered with. Starting with the 7.1.0-lnx sensor there will also be a manifest that will have the hashes of all components in the package.
If a customer wants to use the EDR kernel module with Secure Boot they can use the procedure documented at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel for now to self-sign the module.
The sensor package itself is signed, so once you extract the kernel module from that package you can generate a hash on the module and use that to check whether the module has been tampered with. Starting with the 7.1.0-lnx sensor there will also be a manifest that will have the hashes of all components in the package.
If a customer wants to use the EDR kernel module with Secure Boot they can use the procedure documented at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel for now to self-sign the module.
Feedback
Yes
No
Powered by
