A kernel module is a component of the UNIX operating system that you can load to extend the running kernel, and unload when no longer required. This adds flexibility, letting you load functionality as required, without wasting memory resources that would otherwise be required to cover all possible expected functionality in the base kernel.
You can disable and enable kernel module protection in CA ControlMinder. If you enable kernel module protection, CA ControlMinder intercepts the system calls that load and unload a kernel module, and then checks the requested access against the associated record in the database, which is a record of class KMODULE. When access is requested for a kernel module record, CA ControlMinder, the requested access is either "load" or "unload".
On all non-Linux systems, the name of the KMODULE record must match the name of the kernel module file (not the full path). This is because the name of the module is the same as the name of the file. On Linux, the name of KMODULE record needs to match only the name of the kernel module, which, may be different from the actual file name. Changing the file name on Linux does not change the module name which Linux uses and the KMODULE record remains valid.
If you enable file path checking on kernel module loads and the requested access is load, CA ControlMinder performs the following additional checks:
Note: CA ControlMinder produces a unique signature for kernel module file on Linux systems, and inserts this as the value of the signature property in the kernel module record. CA ControlMinder checks the signature on each access. You do not need to enter the signature yourself, because CA ControlMinder calculates and inserts it automatically. However you can do so using the seretrust utility.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|