> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Linux kernel module injection detected

### Event Information

#### Meaning

* The Linux Kernel Module Injection Detected event in a Kubernetes cluster indicates that an unauthorized or malicious kernel module has been injected into the system.
* This event could potentially compromise the security and stability of the cluster, as the injected module can perform unauthorized actions or provide unauthorized access to the system.
* It is crucial to investigate and remediate this event promptly to ensure the integrity and compliance of the Kubernetes cluster.

To investigate and remediate this event, you can:

* Use the `kubectl get pods` command to identify the affected pod(s) and their corresponding nodes.
* Use the `kubectl describe pod <pod_name>` command to gather more information about the pod, such as the image being used and any suspicious activities.
* If necessary, delete and recreate the affected pod(s) using the `kubectl delete pod <pod_name>` and `kubectl create -f <pod_manifest.yaml>` commands, respectively.

#### Remediation

1. Identify the affected pod(s) by checking the `podName` field in the event.
   * Use the Kubernetes API to get the pod details: `kubectl get pod <podName> -o yaml`
   * Note down the namespace and labels of the affected pod.

2. Create a Kubernetes manifest file to delete the affected pod(s) and prevent further injection:
   * Create a YAML file (e.g., `remediation.yaml`) with the following content:
     ```yaml theme={null}
     apiVersion: v1
     kind: Pod
     metadata:
       namespace: <namespace>
       labels:
         <labels>
     spec:
       restartPolicy: Never
       containers:
       - name: remediation-container
         image: alpine:latest
         command: ["sh", "-c", "sleep 10"]
     ```
   * Replace `<namespace>` with the namespace of the affected pod(s).
   * Replace `<labels>` with the labels of the affected pod(s).
   * This manifest creates a temporary pod that sleeps for 10 seconds and then terminates. This will effectively delete the affected pod(s) and prevent further injection.

3. Apply the remediation manifest to the cluster:
   * Use the Kubernetes API to apply the remediation manifest: `kubectl apply -f remediation.yaml`

   * Verify that the remediation pod is created and completes successfully: `kubectl get pod -l=app=remediation-container`

   * Monitor the cluster to ensure that the affected pod(s) are deleted and no new injection occurs: `kubectl get pod -n <namespace>`
