Class: Google::Apis::SecuritycenterV1beta1::KernelRootkit

Inherits:

Object

• Object
• Google::Apis::SecuritycenterV1beta1::KernelRootkit

Includes:

Core::Hashable, Core::JsonObjectSupport

Defined in:

lib/google/apis/securitycenter_v1beta1/classes.rb,
lib/google/apis/securitycenter_v1beta1/representations.rb,
lib/google/apis/securitycenter_v1beta1/representations.rb

Overview

Kernel mode rootkit signatures.

Instance Attribute Summary

• #name ⇒ String

  Rootkit name, when available.

• #unexpected_code_modification ⇒ Boolean (also: #unexpected_code_modification?)

  True if unexpected modifications of kernel code memory are present.

• #unexpected_ftrace_handler ⇒ Boolean (also: #unexpected_ftrace_handler?)

  True if ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range.

• #unexpected_interrupt_handler ⇒ Boolean (also: #unexpected_interrupt_handler?)

  True if interrupt handlers that are are not in the expected kernel or module code regions are present.

• #unexpected_kernel_code_pages ⇒ Boolean (also: #unexpected_kernel_code_pages?)

  True if kernel code pages that are not in the expected kernel or module code regions are present.

• #unexpected_kprobe_handler ⇒ Boolean (also: #unexpected_kprobe_handler?)

  True if kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range.

• #unexpected_processes_in_runqueue ⇒ Boolean (also: #unexpected_processes_in_runqueue?)

  True if unexpected processes in the scheduler run queue are present.

• #unexpected_read_only_data_modification ⇒ Boolean (also: #unexpected_read_only_data_modification?)

  True if unexpected modifications of kernel read-only data memory are present.

• #unexpected_system_call_handler ⇒ Boolean (also: #unexpected_system_call_handler?)

  True if system call handlers that are are not in the expected kernel or module code regions are present.

Instance Method Summary

• #initialize(**args) ⇒ KernelRootkit constructor

  A new instance of KernelRootkit.

• #update!(**args) ⇒ Object

  Update properties of this object.

Constructor Details

#initialize(**args) ⇒ KernelRootkit

Returns a new instance of KernelRootkit.

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7365

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#name ⇒ String

Rootkit name, when available. Corresponds to the JSON property name

Returns:

• (String)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7309

def name
  @name
end

#unexpected_code_modification ⇒ Boolean Also known as: unexpected_code_modification?

True if unexpected modifications of kernel code memory are present. Corresponds to the JSON property unexpectedCodeModification

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7314

def unexpected_code_modification
  @unexpected_code_modification
end

#unexpected_ftrace_handler ⇒ Boolean Also known as: unexpected_ftrace_handler?

True if ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range. Corresponds to the JSON property unexpectedFtraceHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7321

def unexpected_ftrace_handler
  @unexpected_ftrace_handler
end

#unexpected_interrupt_handler ⇒ Boolean Also known as: unexpected_interrupt_handler?

True if interrupt handlers that are are not in the expected kernel or module code regions are present. Corresponds to the JSON property unexpectedInterruptHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7328

def unexpected_interrupt_handler
  @unexpected_interrupt_handler
end

#unexpected_kernel_code_pages ⇒ Boolean Also known as: unexpected_kernel_code_pages?

True if kernel code pages that are not in the expected kernel or module code regions are present. Corresponds to the JSON property unexpectedKernelCodePages

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7335

def unexpected_kernel_code_pages
  @unexpected_kernel_code_pages
end

#unexpected_kprobe_handler ⇒ Boolean Also known as: unexpected_kprobe_handler?

True if kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range. Corresponds to the JSON property unexpectedKprobeHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7342

def unexpected_kprobe_handler
  @unexpected_kprobe_handler
end

#unexpected_processes_in_runqueue ⇒ Boolean Also known as: unexpected_processes_in_runqueue?

True if unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list. Corresponds to the JSON property unexpectedProcessesInRunqueue

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7349

def unexpected_processes_in_runqueue
  @unexpected_processes_in_runqueue
end

#unexpected_read_only_data_modification ⇒ Boolean Also known as: unexpected_read_only_data_modification?

True if unexpected modifications of kernel read-only data memory are present. Corresponds to the JSON property unexpectedReadOnlyDataModification

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7355

def unexpected_read_only_data_modification
  @unexpected_read_only_data_modification
end

#unexpected_system_call_handler ⇒ Boolean Also known as: unexpected_system_call_handler?

True if system call handlers that are are not in the expected kernel or module code regions are present. Corresponds to the JSON property unexpectedSystemCallHandler

Returns:

• (Boolean)

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7362

def unexpected_system_call_handler
  @unexpected_system_call_handler
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object

# File 'lib/google/apis/securitycenter_v1beta1/classes.rb', line 7370

def update!(**args)
  @name = args[:name] if args.key?(:name)
  @unexpected_code_modification = args[:unexpected_code_modification] if args.key?(:unexpected_code_modification)
  @unexpected_ftrace_handler = args[:unexpected_ftrace_handler] if args.key?(:unexpected_ftrace_handler)
  @unexpected_interrupt_handler = args[:unexpected_interrupt_handler] if args.key?(:unexpected_interrupt_handler)
  @unexpected_kernel_code_pages = args[:unexpected_kernel_code_pages] if args.key?(:unexpected_kernel_code_pages)
  @unexpected_kprobe_handler = args[:unexpected_kprobe_handler] if args.key?(:unexpected_kprobe_handler)
  @unexpected_processes_in_runqueue = args[:unexpected_processes_in_runqueue] if args.key?(:unexpected_processes_in_runqueue)
  @unexpected_read_only_data_modification = args[:unexpected_read_only_data_modification] if args.key?(:unexpected_read_only_data_modification)
  @unexpected_system_call_handler = args[:unexpected_system_call_handler] if args.key?(:unexpected_system_call_handler)
end