Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 1 Feb 2020 13:26:38 +0000
From: Patrick Schleizer <adrelanos@...eup.net>
To: lkrg-users@...ts.openwall.com
Subject: Compiling LKRG static into the Kernel / Loading LKRG kernel module as
 early as possible or after other modules?

These are two separate questions, but perhaps related.

1) Is it possible, and sane (considered, tested) to compile LKRG
statically into the Linux kernel? I.e. not use LKRG as a module.

2) When using LKRG as a module, when is the best (recommended, tested,
sane) time the load it? Should LKRG be loaded "late", i.e. after all
other modules are load but still still "early" during boot (before
networking and most other services come up)?

This is what is currently implemented in my LKRG Debian packaging
project. This is just to avoid false positives. I.e. not confuse/scare
users with messages by LKRG about module load/unload and kernel
modifications.

Recently we implemented an initramfs-hook to load sysctl inside
initramfs, i.e. earlier than the systemd-sysctl service. Even before
systemd is started. Made me wonder, if it wouldn't also make sense to
load LKRG as early as possible.

However, loading LKRG "late" for the sake of "not confuse/scare users
with messages by LKRG about" is a security disadvantage which might not
be necessary.

Would it make sense if LKRG had a module parameter and sysctl
"earlyloading=1"? In that mode LKRG wouldn't show some messages such as
about module load and unload - because then that's expected. And maybe
also be more lenient about "some other things"? After some time it would
be the job of the system/package to set sysctl "earlyloading=0" (through
a systemd unit file after systemd-modules-load service), thereby LKRG
going back to "normal mode" (what's implemented now).

Kind regards,
Patrick

Adam Zabrocki:
> ...
> It is important to note that before you run LKRG, you should load "overlay" 
> module used by docker. If you don't do it (e.g. load "overlay" module after 
> LKRG), not all hooks will be installed and you will see False Positives. The 
> easiest way to solve it is to configure the system to load "overlay" during 
> boot. You can do it by runnig, for example, the following command:
> 
>     root@...-ubuntu:~# echo "overlay" > /etc/modules-load.d/overlay.conf
>...

Kind regards,
Patrick

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.