Class: Google::Apis::SecuritycenterV1beta1::KernelRootkit

Inherits:

Object

• Object
• Google::Apis::SecuritycenterV1beta1::KernelRootkit

Includes:

Core::Hashable, Core::JsonObjectSupport

Defined in:

lib/google/apis/securitycenter_v1beta1/classes.rb,
lib/google/apis/securitycenter_v1beta1/representations.rb,
lib/google/apis/securitycenter_v1beta1/representations.rb

Overview

Kernel mode rootkit signatures.

Instance Attribute Summary

• #name ⇒ String

  Rootkit name when available.

• #unexpected_code_modification ⇒ Boolean (also: #unexpected_code_modification?)

  True when unexpected modifications of kernel code memory are present.

• #unexpected_ftrace_handler ⇒ Boolean (also: #unexpected_ftrace_handler?)

  True when ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.

• #unexpected_interrupt_handler ⇒ Boolean (also: #unexpected_interrupt_handler?)

  True when interrupt handlers that are are not in the expected kernel or module code regions are present.

• #unexpected_kernel_code_pages ⇒ Boolean (also: #unexpected_kernel_code_pages?)

  True when kernel code pages that are not in the expected kernel or module code regions are present.

• #unexpected_kprobe_handler ⇒ Boolean (also: #unexpected_kprobe_handler?)

  True when kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.

• #unexpected_processes_in_runqueue ⇒ Boolean (also: #unexpected_processes_in_runqueue?)

  True when unexpected processes in the scheduler run queue are present.

• #unexpected_read_only_data_modification ⇒ Boolean (also: #unexpected_read_only_data_modification?)

  True when unexpected modifications of kernel read-only data memory are present.

• #unexpected_system_call_handler ⇒ Boolean (also: #unexpected_system_call_handler?)

  True when system call handlers that are are not in the expected kernel or module code regions are present.

Instance Method Summary

• #initialize(**args) ⇒ KernelRootkit constructor

  A new instance of KernelRootkit.

• #update!(**args) ⇒ Object

  Update properties of this object.

Constructor Details

#initialize(**args) ⇒ KernelRootkit

Returns a new instance of KernelRootkit.

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2937

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#name ⇒ String

Rootkit name when available. Corresponds to the JSON property name

Returns:

• (String)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2881

def name
  @name
end

#unexpected_code_modification ⇒ Boolean Also known as: unexpected_code_modification?

True when unexpected modifications of kernel code memory are present. Corresponds to the JSON property unexpectedCodeModification

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2886

def unexpected_code_modification
  @unexpected_code_modification
end

#unexpected_ftrace_handler ⇒ Boolean Also known as: unexpected_ftrace_handler?

True when ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range. Corresponds to the JSON property unexpectedFtraceHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2893

def unexpected_ftrace_handler
  @unexpected_ftrace_handler
end

#unexpected_interrupt_handler ⇒ Boolean Also known as: unexpected_interrupt_handler?

True when interrupt handlers that are are not in the expected kernel or module code regions are present. Corresponds to the JSON property unexpectedInterruptHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2900

def unexpected_interrupt_handler
  @unexpected_interrupt_handler
end

#unexpected_kernel_code_pages ⇒ Boolean Also known as: unexpected_kernel_code_pages?

True when kernel code pages that are not in the expected kernel or module code regions are present. Corresponds to the JSON property unexpectedKernelCodePages

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2907

def unexpected_kernel_code_pages
  @unexpected_kernel_code_pages
end

#unexpected_kprobe_handler ⇒ Boolean Also known as: unexpected_kprobe_handler?

True when kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range. Corresponds to the JSON property unexpectedKprobeHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2914

def unexpected_kprobe_handler
  @unexpected_kprobe_handler
end

#unexpected_processes_in_runqueue ⇒ Boolean Also known as: unexpected_processes_in_runqueue?

True when unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list. Corresponds to the JSON property unexpectedProcessesInRunqueue

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2921

def unexpected_processes_in_runqueue
  @unexpected_processes_in_runqueue
end

#unexpected_read_only_data_modification ⇒ Boolean Also known as: unexpected_read_only_data_modification?

True when unexpected modifications of kernel read-only data memory are present. Corresponds to the JSON property unexpectedReadOnlyDataModification

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2927

def unexpected_read_only_data_modification
  @unexpected_read_only_data_modification
end

#unexpected_system_call_handler ⇒ Boolean Also known as: unexpected_system_call_handler?

True when system call handlers that are are not in the expected kernel or module code regions are present. Corresponds to the JSON property unexpectedSystemCallHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2934

def unexpected_system_call_handler
  @unexpected_system_call_handler
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 2942

def update!(**args)
  @name = args[:name] if args.key?(:name)
  @unexpected_code_modification = args[:unexpected_code_modification] if args.key?(:unexpected_code_modification)
  @unexpected_ftrace_handler = args[:unexpected_ftrace_handler] if args.key?(:unexpected_ftrace_handler)
  @unexpected_interrupt_handler = args[:unexpected_interrupt_handler] if args.key?(:unexpected_interrupt_handler)
  @unexpected_kernel_code_pages = args[:unexpected_kernel_code_pages] if args.key?(:unexpected_kernel_code_pages)
  @unexpected_kprobe_handler = args[:unexpected_kprobe_handler] if args.key?(:unexpected_kprobe_handler)
  @unexpected_processes_in_runqueue = args[:unexpected_processes_in_runqueue] if args.key?(:unexpected_processes_in_runqueue)
  @unexpected_read_only_data_modification = args[:unexpected_read_only_data_modification] if args.key?(:unexpected_read_only_data_modification)
  @unexpected_system_call_handler = args[:unexpected_system_call_handler] if args.key?(:unexpected_system_call_handler)
end