From d5719a5314e9d207fc0b05c07742db31b369016e Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Thu, 16 Nov 2023 19:53:40 +0100 Subject: [PATCH 1/2] Add packages/lkrg.md --- docs/index.md | 2 +- docs/packages/lkrg.md | 57 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 docs/packages/lkrg.md diff --git a/docs/index.md b/docs/index.md index 81e6996..ad1ac94 100644 --- a/docs/index.md +++ b/docs/index.md @@ -38,7 +38,7 @@ You'll normally install packages from the mirrors, which should just work. Howev ### Extra packages (for EL8 and EL9) -- [lkrg](https://lkrg.org) (Linux Kernel Runtime Guard) +- [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) - [passwdqc](https://www.openwall.com/passwdqc/) (Password/passphrase strength checking and policy enforcement) ### Extra packages (currently only for EL9) diff --git a/docs/packages/lkrg.md b/docs/packages/lkrg.md new file mode 100644 index 0000000..d6774b0 --- /dev/null +++ b/docs/packages/lkrg.md @@ -0,0 +1,57 @@ +# Extra package: lkrg + +## EL8 and EL9 + +- Version `lkrg-0.9.7-4.el9_2.security` +- Based on upstream version `0.9.7` + +### Package summary + +LKRG, or Linux Kernel Runtime Guard, is a kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. + +More information is available on the [LKRG homepage](https://lkrg.org) and in the documentation files included in the package. + +### Usage in Rocky Linux + +Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.2). Once there's a new minor release (e.g., 9.2 is upgraded to 9.3), we'll provide a new build of LKRG accordingly. + +Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use: + +``` +systemctl start lkrg +``` + +To enable LKRG on bootup please use: + +``` +systemctl enable lkrg +``` + +### Testing and recovery + +Although the current package passed our own testing (on 8.8 and 9.2), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option. + +### Change log + +``` +* Wed Nov 08 2023 Solar Designer 0.9.7-4 +- Add a couple of upstream patches, most notably to fix kINT false positives on +EL 8.8. + +* Tue Oct 24 2023 Solar Designer 0.9.7-3 +- Use weak-modules if available so that on RHEL and its rebuilds the same LKRG + package build works across different kABI-compatible kernel revisions/builds +- Drop 32-bit x86 from ExclusiveArch since recent RHEL lacks such kernel-devel + +* Thu Sep 14 2023 Solar Designer 0.9.7-2 +- Use kernel build directory corresponding to the kernel-devel package, not to +the currently running kernel +- "BuildRequires: kernel" for the /lib/modules/* directory +- "BuildRequires: elfutils-libelf-devel" to support CONFIG_UNWINDER_ORC=y + +* Thu Sep 14 2023 Solar Designer 0.9.7-1 +- Wrote this rough RPM spec file for Red Hat'ish distros, seems to work fine on +RHEL 7, 8, 9 rebuilds, but is only reliable when there's exactly one +kernel-devel package installed at build time and it exactly matches the target +kernel version. +``` From 61a91f576c1e8e3cee0bb95d5a350789e5101c6a Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Thu, 16 Nov 2023 20:21:27 +0100 Subject: [PATCH 2/2] Add packages/passwdqc.md --- docs/index.md | 2 +- docs/packages/passwdqc.md | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 docs/packages/passwdqc.md diff --git a/docs/index.md b/docs/index.md index ad1ac94..21e17cd 100644 --- a/docs/index.md +++ b/docs/index.md @@ -39,7 +39,7 @@ You'll normally install packages from the mirrors, which should just work. Howev ### Extra packages (for EL8 and EL9) - [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard) -- [passwdqc](https://www.openwall.com/passwdqc/) (Password/passphrase strength checking and policy enforcement) +- [passwdqc](packages/passwdqc.md) (Password/passphrase strength checking and policy enforcement) ### Extra packages (currently only for EL9) diff --git a/docs/packages/passwdqc.md b/docs/packages/passwdqc.md new file mode 100644 index 0000000..ab5e7c6 --- /dev/null +++ b/docs/packages/passwdqc.md @@ -0,0 +1,36 @@ +# Extra package: passwdqc + +## EL8 and EL9 + +- Version `2.0.3-2.el9_2.security` +- Based on upstream version `2.0.3-2` as packaged in Fedora + +### Package summary + +`passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`). + +More information is available on the [passwdqc homepage](https://www.openwall.com/passwdqc/) and in the documentation files (man pages and a README) included in the sub-packages below. + +### Usage in Rocky Linux + +There are 4 sub-packages: + +#### pam_passwdqc + +`pam_passwdqc` is a PAM module that is normally invoked on password changes by programs such as `passwd(1)`. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable. + +Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, please edit PAM configuration files e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371). + +#### passwdqc-utils + +`pwqcheck` and `pwqgen` are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts. + +The `pwqfilter` program searches, creates, or updates binary passphrase filter files, which can also be used with `pwqcheck` and `pam_passwdqc`. This can be used for checking of user-provided passwords against existing data breaches, which is recommended in the current NIST guidance, specifically in publication 800-63B sections 5.1.1.2 and A.3. Paid pre-generated filter files are available from Openwall at the project homepage above, but with this tool you can also generate your own. + +#### libpasswdqc + +`libpasswdqc` is the underlying library, which may also be used from third-party programs. + +#### passwdqc + +`passwdqc` is a meta sub-package that installs (via dependencies) all 3 actual sub-packages above.