Environment
- EDR Linux sensor: All versions
- Linux: All versions
Question
Is the Linux sensor kernel module signed?
Answer
Signing the kernel module is currently not on the roadmap.
The sensor package itself is signed, so once you extract the kernel module from that package you can generate a hash on the module and use that to check whether the module has been tampered with. Starting with the 7.1.0-lnx sensor there will also be a manifest that will have the hashes of all components in the package.
If a customer wants to use the EDR kernel module with Secure Boot they can use the procedure documented at
Chapter 4. Signing kernel modules for secure boot Red Hat Enterprise Linux 8 | Red Hat Customer Port... for now to self-sign the module.