@geoffg @redcanary Thanks for bringing this up, @geoffg! Definitely useful to distinguish between the various means of preventing eBPF misuse, particularly as it relates to enabling use of security software.

Keith

@kwm

@geoffg @redcanary Of the preventative measures listed in the blog, the two that are the safest and most practical are “Make sure unprivileged eBPF is disabled” and “Create firewall filters on external firewalls to block suspicious packets”.

1/11/2023, 2:23:49 PM

Favs: 0

Retweets: 0

link

Keith

@kwm

@geoffg @redcanary Most linux EDR sensors already run as root, so disabling unprivileged eBPF is probably not going to break anything.

And regarding the firewall, since we’re talking about external firewall rules, it shouldn’t affect anything on the endpoint itself (but always test).

1/11/2023, 2:24:55 PM

Favs: 1

Retweets: 0

link

Keith

@kwm

@geoffg @redcanary The other preventative measures listed definitely require some level of skill and understanding to know if they would break anything or not.

1/11/2023, 2:25:39 PM

Favs: 0

Retweets: 0

link

Keith

@kwm

@geoffg @redcanary Thanks for bringing this up, @geoffg! Definitely useful to distinguish between the various means of preventing eBPF misuse, particularly as it relates to enabling use of security software.

1/11/2023, 2:27:29 PM

Favs: 1

Retweets: 0

link