Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200614170319.GA28735@openwall.com>
Date: Sun, 14 Jun 2020 19:03:19 +0200
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: How can I check the effectiveness of p_lkrg?

Hi Jacek,

On Wed, Jun 10, 2020 at 05:36:00PM +0100, Pawel Krawczyk wrote:
> On 10/06/2020 08:59, Jacek wrote:
> 
> >How can I check if p_lkrg is working properly or is it only working?
> >I tested some exploits, there is no trace in the logs of any p_lkrg action.
> 
> Your kernel might be too new to trigger LKRG defences as all the 
> vulnerabilities used by these exploits were patched and are stopped 
> before even causing any anomalies. I had the same problem when trying 
> LKRG for the first time a few years ago (although then at least one 
> exploit triggered some alerts).

Pawel is correct - LKRG will only detect kernel exploits that were about
to succeed, which means you'd need to run them on a kernel vulnerable to
the issues being exploited.  Also, LKRG will not detect purely userspace
exploits and attacks.  However, you can test LKRG with kernel rootkits:

https://www.openwall.com/lists/lkrg-users/2020/06/14/5

Also relevant is this slightly older thread on testing LKRG:

https://www.openwall.com/lists/lkrg-users/2020/04/18/3

Unfortunately, we don't currently have a test suite we could release
publicly.  Maybe we should develop and release one.

Alexander

P.S. Jacek, when you post to a mailing list on a new topic, please send
your message to the list posting address anew, not as a "reply".  In
this case, you used the "reply" feature, resulting in your message and
replies to it threaded along with messages in another unrelated thread.
That isn't pretty.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.