• lud@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    It needs that kind of access to fight advanced attacks. It would surprise me if similar EDR programs didn’t have similar access on Linux systems, for example.

    • deegeese
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      No, you make a management API for security products that run in user space as root, you don’t use kernel modules.

      • lud@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Is that the way that EDR is implemented on Linux or are you guessing?

        • progandy@feddit.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          4 months ago

          Currently, cloudstrike offers two methods for Linux: a kernel driver / module and a theoretically safer alternative using epbf (you could call that “kernel level scripting”). Ironically, they triggered a kernel bug using that second option. They did not test all kernels they listed as compatible or something like that.