Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 8 Jun 2020 20:19:30 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: Outdated sysctl documentation

On 08/06/2020 17:18, Adam Zabrocki wrote:
> Hi,
> 
> We are on the edge of releasing a new LKRG version (0.8). However, we are still 
> working on some features which are changing some of the functinoality. Updating 
> documentation is the last step of the work which is in our TODO list.
> Current documentation refelct the last LKRG release (0.7).
> 
I see, OK no problem.

> Few weeks ago we've completely rewrote communication channel and documentation 
> for it is in the official commit:
> 
> https://bitbucket.org/Adam_pi3/lkrg-main/commits/2febcf467d6182e9bd180334e2601c79812f2cf5
> 
I have a couple of questions, which came to my mind while reading the commit:

-----------
 1) Introduce 'kint_validate' to control kernel/system integrity logic:
    0 - disabled
    1 - validation is performed only when manually triggered
    3 - validation is performed periodically by timer interrupt and on random events
-----------
1. By the "timer interrupt" you mean that if CONFIG_HZ=1000 then the check will 
   be performed 1000 times per second, am I right?
2. What do you mean by random events?
3. Is there a value of "2" or just "1" and "3"?

-----------
 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails:
    0 - log & accept corruption
    1 - log only (for SELinux and CR0.WP violation log & restore original values)
    2 - panic() - kill the kernel
-----------
4. What's actually the difference between "0" and "1"?

-----------
 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails:
    0 - log & accept
    1 - log & restore
    2 - panic() - kill the kernel
-----------
5. Is this similar to the previous one (I mean the value of "0" and "1")?

-----------
 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails:
    0 - log only
    1 - prevent execution
    2 - panic() - kill the kernel
-----------
prevent execution... of?

-----------
 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed
    0 - disabled
    1 - no stackwalk (weak pCFI)
    2 - fully enabled
-----------
What does "1" do here?
Does the CFI stand for Control-Flow Integrity?

-----------
 -> Hiding (lkrg.hide) - if built with this optional feature included, LKRG can
    (un)hide itself from the module list (but it can be detected regardless):
-----------
The doc says that hiding the module can be detected even when lkrg.hide=1 -- any 
example how to detect it in such situation?



Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.