Extra package: lkrg - SIG/Security Wiki
Extra package: lkrg
2023-11-27 13:49:44 +00:00
< h2 id = "el9" > EL9< a class = "headerlink" href = "#el9" title = "Permanent link" > ¶ < / a > < / h2 >
< ul >
2024-02-28 02:32:10 +00:00
< li > Version < code > 0.9.8-1.el9_3.security< / code > < / li >
< li > Based on upstream version < code > 0.9.8< / code > < / li >
2023-11-27 13:49:44 +00:00
< / ul >
< h2 id = "el8" > EL8< a class = "headerlink" href = "#el8" title = "Permanent link" > ¶ < / a > < / h2 >
2023-11-16 19:31:38 +00:00
< ul >
2024-02-28 02:32:10 +00:00
< li > Version < code > 0.9.8-1.el8_9.security< / code > < / li >
< li > Based on upstream version < code > 0.9.8< / code > < / li >
2023-11-16 19:31:38 +00:00
< / ul >
< h3 id = "package-summary" > Package summary< a class = "headerlink" href = "#package-summary" title = "Permanent link" > ¶ < / a > < / h3 >
< p > LKRG, or Linux Kernel Runtime Guard, is a kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.< / p >
< p > More information is available on the < a href = "https://lkrg.org" > LKRG homepage< / a > and in the documentation files included in the package.< / p >
< h3 id = "usage-in-rocky-linux" > Usage in Rocky Linux< a class = "headerlink" href = "#usage-in-rocky-linux" title = "Permanent link" > ¶ < / a > < / h3 >
2024-02-28 02:32:10 +00:00
< p > Due to EL's kABI stability and the < code > weak-modules< / code > mechanism, which this package uses, the same binary package of LKRG usually works across different kernel revisions/builds within the same EL minor release (e.g., 9.3). Once there's a new minor release (e.g., 9.3 is upgraded to 9.4), we'll provide a new build of LKRG accordingly.< / p >
2023-11-16 19:31:38 +00:00
< p > Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > systemctl start lkrg
< / code > < / pre > < / div >
< p > To enable LKRG on bootup please use:< / p >
< div class = "highlight" > < pre > < span > < / span > < code > systemctl enable lkrg
< / code > < / pre > < / div >
< h3 id = "testing-and-recovery" > Testing and recovery< a class = "headerlink" href = "#testing-and-recovery" title = "Permanent link" > ¶ < / a > < / h3 >
2023-11-27 13:49:44 +00:00
< p > Although the current package passed our own testing (on 9.3 and 8.9), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the < code > nolkrg< / code > kernel command-line option.< / p >
2024-02-28 02:32:10 +00:00
< h3 id = "remote-logging" > Remote logging< a class = "headerlink" href = "#remote-logging" title = "Permanent link" > ¶ < / a > < / h3 >
< p > LKRG includes a remote kernel message logging capability.
The corresponding userspace tools are found in the < code > lkrg-logger< / code > sub-package.
Documentation is also included in there, in < code > /usr/share/doc/lkrg-logger/LOGGING< / code > .< / p >
2023-11-16 19:31:38 +00:00
< h3 id = "change-log" > Change log< a class = "headerlink" href = "#change-log" title = "Permanent link" > ¶ < / a > < / h3 >
2024-02-28 02:32:10 +00:00
< div class = "highlight" > < pre > < span > < / span > < code > * Tue Feb 27 2024 Solar Designer < solar@openwall.com> 0.9.8-1
- Update to 0.9.8
- Add logger sub-package
- Mark the sysctl configuration file config(noreplace)
- Use " sort -V" to build against the latest installed version of kernel-devel
* Wed Nov 8 2023 Solar Designer < solar@openwall.com> 0.9.7-4
2023-11-16 19:31:38 +00:00
- Add a couple of upstream patches, most notably to fix kINT false positives on
EL 8.8.
* Tue Oct 24 2023 Solar Designer < solar@openwall.com> 0.9.7-3
- Use weak-modules if available so that on RHEL and its rebuilds the same LKRG
package build works across different kABI-compatible kernel revisions/builds
- Drop 32-bit x86 from ExclusiveArch since recent RHEL lacks such kernel-devel
* Thu Sep 14 2023 Solar Designer < solar@openwall.com> 0.9.7-2
- Use kernel build directory corresponding to the kernel-devel package, not to
the currently running kernel
- " BuildRequires: kernel" for the /lib/modules/* directory
- " BuildRequires: elfutils-libelf-devel" to support CONFIG_UNWINDER_ORC=y
* Thu Sep 14 2023 Solar Designer < solar@openwall.com> 0.9.7-1
- Wrote this rough RPM spec file for Red Hat' ish distros, seems to work fine on
RHEL 7, 8, 9 rebuilds, but is only reliable when there' s exactly one
kernel-devel package installed at build time and it exactly matches the target
kernel version.
< / code > < / pre > < / div >
