• deegeese@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    No, you make a management API for security products that run in user space as root, you don’t use kernel modules.

    • lud
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      Is that the way that EDR is implemented on Linux or are you guessing?

      • progandy@feddit.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        3 months ago

        Currently, cloudstrike offers two methods for Linux: a kernel driver / module and a theoretically safer alternative using epbf (you could call that “kernel level scripting”). Ironically, they triggered a kernel bug using that second option. They did not test all kernels they listed as compatible or something like that.