Date: Sun, 14 Jun 2020 19:03:19 +0200 From: Solar Designer <solar@...nwall.com> To: lkrg-users@...ts.openwall.com Subject: Re: How can I check the effectiveness of p_lkrg? Hi Jacek, On Wed, Jun 10, 2020 at 05:36:00PM +0100, Pawel Krawczyk wrote: > On 10/06/2020 08:59, Jacek wrote: > > >How can I check if p_lkrg is working properly or is it only working? > >I tested some exploits, there is no trace in the logs of any p_lkrg action. > > Your kernel might be too new to trigger LKRG defences as all the > vulnerabilities used by these exploits were patched and are stopped > before even causing any anomalies. I had the same problem when trying > LKRG for the first time a few years ago (although then at least one > exploit triggered some alerts). Pawel is correct - LKRG will only detect kernel exploits that were about to succeed, which means you'd need to run them on a kernel vulnerable to the issues being exploited. Also, LKRG will not detect purely userspace exploits and attacks. However, you can test LKRG with kernel rootkits: https://www.openwall.com/lists/lkrg-users/2020/06/14/5 Also relevant is this slightly older thread on testing LKRG: https://www.openwall.com/lists/lkrg-users/2020/04/18/3 Unfortunately, we don't currently have a test suite we could release publicly. Maybe we should develop and release one. Alexander P.S. Jacek, when you post to a mailing list on a new topic, please send your message to the list posting address anew, not as a "reply". In this case, you used the "reply" feature, resulting in your message and replies to it threaded along with messages in another unrelated thread. That isn't pretty.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.