Unusually Tainted Kernel Linux
osquery
Unusually tainted kernel - via a loaded kernel module
Description
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
Query
-- Unusually tainted kernel - via a loaded kernel module
--
-- references:
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
-- * https://docs.kernel.org/admin-guide/tainted-kernels.html
--
-- Confirmed to catch revenge-rtkit
--
-- false positives:
-- * custom kernel modules
--
-- tags: persistent kernel state
-- platform: linux
--
SELECT
taint,
taint & 65536 AS is_aux,
taint & 8192 is_unsigned,
taint & 4096 AS out_of_tree,
taint & 512 AS kernel_warning,
taint & 614 AS requested_by_userspace,
taint & 8 AS force_unloaded,
taint & 4 AS out_of_spec,
taint & 2 AS force_loaded,
taint & 1 AS proprietary,
modules
FROM
(
SELECT
sc.current_value AS taint,
GROUP_CONCAT(km.name) AS modules
FROM
system_controls sc,
kernel_modules km
WHERE
sc.name = "kernel.tainted"
ORDER BY
km.name ASC
)
-- 4096 is a signed, out of tree, open source driver
-- 4097 is a signed, out of tree, proprietary driver
-- 512 is a kernel warning
WHERE
taint NOT IN (0, 512, 4096, 4097)
-- Some day, folks will sign rootkits. That day isn't today.
AND is_unsigned = 1
AND NOT (
(
-- 12289 is an unsigned, out of tree, proprietary
-- 12801 is an unsigned, out of tree, proprietary with kernel warning. not great.
taint IN (12289, 12801)
AND (
modules LIKE "%,nvidia,%"
OR modules LIKE "%,v42loopback,%"
OR modules LIKE "%,wl,%"
)
)
OR (
-- 12352 is unsigned, out of tree, requested by user space
-- 12289 is an unsigned, out of tree, proprietary
taint IN (12352, 12289)
AND modules LIKE "%,v4l2loopback,%"
)
)tags: SStagSS