generated from sig_core/wiki-template
Add pages for lkrg and passwdqc #13
3 changed files with 95 additions and 2 deletions
|
@ -38,8 +38,8 @@ You'll normally install packages from the mirrors, which should just work. Howev
|
|||
|
||||
### Extra packages (for EL8 and EL9)
|
||||
|
||||
- [lkrg](https://lkrg.org) (Linux Kernel Runtime Guard)
|
||||
- [passwdqc](https://www.openwall.com/passwdqc/) (Password/passphrase strength checking and policy enforcement)
|
||||
- [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard)
|
||||
- [passwdqc](packages/passwdqc.md) (Password/passphrase strength checking and policy enforcement)
|
||||
|
||||
### Extra packages (currently only for EL9)
|
||||
|
||||
|
|
57
docs/packages/lkrg.md
Normal file
57
docs/packages/lkrg.md
Normal file
|
@ -0,0 +1,57 @@
|
|||
# Extra package: lkrg
|
||||
|
||||
## EL8 and EL9
|
||||
|
||||
- Version `lkrg-0.9.7-4.el9_2.security`
|
||||
- Based on upstream version `0.9.7`
|
||||
|
||||
### Package summary
|
||||
|
||||
LKRG, or Linux Kernel Runtime Guard, is a kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.
|
||||
|
||||
More information is available on the [LKRG homepage](https://lkrg.org) and in the documentation files included in the package.
|
||||
|
||||
### Usage in Rocky Linux
|
||||
|
||||
Due to EL's kABI stability and the `weak-modules` mechanism, which this package uses, the same binary package of LKRG works across different kernel revisions/builds within the same EL minor release (e.g., 9.2). Once there's a new minor release (e.g., 9.2 is upgraded to 9.3), we'll provide a new build of LKRG accordingly.
|
||||
|
||||
Installing the package does not automatically start LKRG nor enable it to start on system bootup. To start LKRG please use:
|
||||
|
||||
```
|
||||
systemctl start lkrg
|
||||
```
|
||||
|
||||
To enable LKRG on bootup please use:
|
||||
|
||||
```
|
||||
systemctl enable lkrg
|
||||
```
|
||||
|
||||
### Testing and recovery
|
||||
|
||||
Although the current package passed our own testing (on 8.8 and 9.2), we recommend that you only enable LKRG to start on system bootup after you've tested it for a while to ensure its compatibility with your system. If you nevertheless run into a boot time issue with LKRG later, you can disable it with the `nolkrg` kernel command-line option.
|
||||
|
||||
### Change log
|
||||
|
||||
```
|
||||
* Wed Nov 08 2023 Solar Designer <solar@openwall.com> 0.9.7-4
|
||||
- Add a couple of upstream patches, most notably to fix kINT false positives on
|
||||
EL 8.8.
|
||||
|
||||
* Tue Oct 24 2023 Solar Designer <solar@openwall.com> 0.9.7-3
|
||||
- Use weak-modules if available so that on RHEL and its rebuilds the same LKRG
|
||||
package build works across different kABI-compatible kernel revisions/builds
|
||||
- Drop 32-bit x86 from ExclusiveArch since recent RHEL lacks such kernel-devel
|
||||
|
||||
* Thu Sep 14 2023 Solar Designer <solar@openwall.com> 0.9.7-2
|
||||
- Use kernel build directory corresponding to the kernel-devel package, not to
|
||||
the currently running kernel
|
||||
- "BuildRequires: kernel" for the /lib/modules/* directory
|
||||
- "BuildRequires: elfutils-libelf-devel" to support CONFIG_UNWINDER_ORC=y
|
||||
|
||||
* Thu Sep 14 2023 Solar Designer <solar@openwall.com> 0.9.7-1
|
||||
- Wrote this rough RPM spec file for Red Hat'ish distros, seems to work fine on
|
||||
RHEL 7, 8, 9 rebuilds, but is only reliable when there's exactly one
|
||||
kernel-devel package installed at build time and it exactly matches the target
|
||||
kernel version.
|
||||
```
|
36
docs/packages/passwdqc.md
Normal file
36
docs/packages/passwdqc.md
Normal file
|
@ -0,0 +1,36 @@
|
|||
# Extra package: passwdqc
|
||||
|
||||
## EL8 and EL9
|
||||
|
||||
- Version `2.0.3-2.el9_2.security`
|
||||
- Based on upstream version `2.0.3-2` as packaged in Fedora
|
||||
|
||||
### Package summary
|
||||
|
||||
`passwdqc` is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (`pam_passwdqc`), command-line programs (`pwqcheck`, `pwqfilter`, and `pwqgen`), and a library (`libpasswdqc`).
|
||||
|
||||
More information is available on the [passwdqc homepage](https://www.openwall.com/passwdqc/) and in the documentation files (man pages and a README) included in the sub-packages below.
|
||||
|
||||
### Usage in Rocky Linux
|
||||
|
||||
There are 4 sub-packages:
|
||||
|
||||
#### pam_passwdqc
|
||||
|
||||
`pam_passwdqc` is a PAM module that is normally invoked on password changes by programs such as `passwd(1)`. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.
|
||||
|
||||
Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, please edit PAM configuration files e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371).
|
||||
|
||||
#### passwdqc-utils
|
||||
|
||||
`pwqcheck` and `pwqgen` are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts.
|
||||
|
||||
The `pwqfilter` program searches, creates, or updates binary passphrase filter files, which can also be used with `pwqcheck` and `pam_passwdqc`. This can be used for checking of user-provided passwords against existing data breaches, which is recommended in the current NIST guidance, specifically in publication 800-63B sections 5.1.1.2 and A.3. Paid pre-generated filter files are available from Openwall at the project homepage above, but with this tool you can also generate your own.
|
||||
|
||||
#### libpasswdqc
|
||||
|
||||
`libpasswdqc` is the underlying library, which may also be used from third-party programs.
|
||||
|
||||
#### passwdqc
|
||||
|
||||
`passwdqc` is a meta sub-package that installs (via dependencies) all 3 actual sub-packages above.
|
Loading…
Reference in a new issue