HIDS 5114

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

5114

Status

Active rule currently published.

Description

This rule is detects when an attempt is made to insert a kernel module, and this has failed. This may indicate that an attacker has tried to insert code into your kernel, such as a rootkit. This may also indicate that you have an application is trying to insert code into the kernel, such as a kernel module.

Guidance

The secure ASL kernel prevents any user or process, including root, from modifying the kernel. This prevents rootkits from being installed into the kernel. Please see the URL below for further guidance:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Can.27t_install_kernel_modules.

False Positives

There is no known false positive for this rule. This rule detects when a kernel module insertion attempt has failed. Please see the URL below if you wish to allow kernel modifications on your system:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Can.27t_install_kernel_modules.

Tuning Recommendations

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

Personal tools