security/wiki
8
0
Fork 1
generated from sig_core/wiki-template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add pages for lkrg and passwdqc #13

Merged
neil merged 2 commits from solardiz-patch-11 into main 2023-11-16 19:31:11 +00:00
Conversation 0 Commits 2 Files Changed 3 +95 -2
3 changed files with 95 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/index.md
View File

@ -38,8 +38,8 @@ You'll normally install packages from the mirrors, which should just work. Howev
### Extra packages (for EL8 and EL9)
- [lkrg](https://lkrg.org) (Linux Kernel Runtime Guard)
- [passwdqc](https://www.openwall.com/passwdqc/) (Password/passphrase strength checking and policy enforcement)
- [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard)
- [passwdqc](packages/passwdqc.md) (Password/passphrase strength checking and policy enforcement)
### Extra packages (currently only for EL9)

57
docs/packages/lkrg.md Normal file
View File

@ -0,0 +1,57 @@
# Extra package: lkrg
## EL8 and EL9
- Version `lkrg-0.9.7-4.el9_2.security`
- Based on upstream version `0.9.7`
### Package summary
LKRG, or Linux Kernel Runtime Guard, is a kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.
More information is available on the [LKRG homepage](https://lkrg.org) and in the documentation files included in the package.
### Usage in Rocky Linux
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.2). Once there's a new minor release (e.g., 9.2 is upgraded to 9.3), we'll provide a new build of LKRG accordingly.
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
```
systemctl start lkrg
```
To enable LKRG on bootup please use:
```
systemctl enable lkrg
```
### Testing and recovery
Although the current package passed our own testing (on 8.8 and 9.2), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
### Change log
```
* Wed Nov 08 2023 Solar Designer <solar@openwall.com> 0.9.7-4
- Add a couple of upstream patches, most notably to fix kINT false positives on
EL 8.8.
* Tue Oct 24 2023 Solar Designer <solar@openwall.com> 0.9.7-3
- Use weak-modules if available so that on RHEL and its rebuilds the same LKRG
package build works across different kABI-compatible kernel revisions/builds
- Drop 32-bit x86 from ExclusiveArch since recent RHEL lacks such kernel-devel
* Thu Sep 14 2023 Solar Designer <solar@openwall.com> 0.9.7-2
- Use kernel build directory corresponding to the kernel-devel package, not to
the currently running kernel
- "BuildRequires: kernel" for the /lib/modules/* directory
- "BuildRequires: elfutils-libelf-devel" to support CONFIG_UNWINDER_ORC=y
* Thu Sep 14 2023 Solar Designer <solar@openwall.com> 0.9.7-1
- Wrote this rough RPM spec file for Red Hat'ish distros, seems to work fine on
RHEL 7, 8, 9 rebuilds, but is only reliable when there's exactly one
kernel-devel package installed at build time and it exactly matches the target
kernel version.
```

36
docs/packages/passwdqc.md Normal file
View File

@ -0,0 +1,36 @@
# Extra package: passwdqc
## EL8 and EL9
- Version `2.0.3-2.el9_2.security`
- Based on upstream version `2.0.3-2` as packaged in Fedora
### Package summary
`passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`).
More information is available on the [passwdqc homepage](https://www.openwall.com/passwdqc/) and in the documentation files (man pages and a README) included in the sub-packages below.
### Usage in Rocky Linux
There are 4 sub-packages:
#### pam_passwdqc
`pam_passwdqc` is a PAM module that is normally invoked on password changes by programs such as `passwd(1)`. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.
Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, please edit PAM configuration files e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371).
#### passwdqc-utils
`pwqcheck` and `pwqgen` are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts.
The `pwqfilter` program searches, creates, or updates binary passphrase filter files, which can also be used with `pwqcheck` and `pam_passwdqc`. This can be used for checking of user-provided passwords against existing data breaches, which is recommended in the current NIST guidance, specifically in publication 800-63B sections 5.1.1.2 and A.3. Paid pre-generated filter files are available from Openwall at the project homepage above, but with this tool you can also generate your own.
#### libpasswdqc
`libpasswdqc` is the underlying library, which may also be used from third-party programs.
#### passwdqc
`passwdqc` is a meta sub-package that installs (via dependencies) all 3 actual sub-packages above.