EDR: Is Linux sensor kernel module signed?

EDR: Is Linux sensor kernel module signed?

Environment

  • EDR Linux sensor: All versions
  • Linux: All versions

Question

Is the Linux sensor kernel module signed?

Answer

Signing the kernel module is currently not on the roadmap.

The sensor package itself is signed, so once you extract the kernel module from that package you can generate a hash on the module and use that to check whether the module has been tampered with. Starting with the 7.1.0-lnx sensor there will also be a manifest that will have the hashes of all components in the package.

If a customer wants to use the EDR kernel module with Secure Boot they can use the procedure documented at Chapter 4. Signing kernel modules for secure boot Red Hat Enterprise Linux 8 | Red Hat Customer Port... for now to self-sign the module.

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-02-2021
Views:
120
Contributors