You are not logged in.
Pages: 1
Hello, comrades!
I want to share with you the intricacies of using the LKRG module in Devuan Linux with DE (Gnome, KDE, LXDE & etc.).
You can find more information about this security module at the link: https://www.openwall.com/lkrg/
To start using this module, you need to download the sources and compile the module itself using the command: "make -j8". Next, install this module using the command: "make install".
Since the installer of this module is intended for Linux systems using systemd, then during installation you will be told about an installation error. It is worth paying attention to this only if you want this module to be loaded at the start of the operating system, but when used on systems with DE (Gnome, KDE, LXDE & etc.) I do not advise you to do this, because . false positives are possible when starting DE. In order for this module to start working at DE startup, you need to create an executable file in the user's working directory, for example, lkrg.sh with the following content:
#!/bin/bash
sleep 10
sudo /sbin/modprobe p_lkrg p_init_log_level=3
sleep 3
sudo /sbin/sysctl lkrg.clean_message=0
exit 0
And add the following information to the "/etc/sudoers" file:
your_user ALL = NOPASSWD: /sbin/sysctl lkrg.clean_message=0,/sbin/modprobe p_lkrg p_init_log_level=3
After that, the lkrg module will start running every time a user logs into DE.
Offline
Whonix has a DKMS .deb package for LKRG:
https://www.whonix.org/wiki/Linux_Kerne … ource_Code
Their current version is 0.8.1 but the git repository has a debian/watch file so it can be updated with uscan.
The .deb only supplies the systemd unit files but the same effect can be achieved by adding this line to /etc/modules (or in it's own file under /etc/modules-load.d/):
p_lkrg
And also add this line to /etc/sysctl.conf (or in it's own file under /etc/sysctl.conf.d/):
lkrg.clean_message = 0
No need for lkrg.sh or any additions to /etc/sudoers
Last edited by Head_on_a_Stick (2021-04-13 14:31:39)
Brianna Ghey — Rest In Power
Offline
Whonix has a DKMS .deb package for LKRG:
https://www.whonix.org/wiki/Linux_Kerne … ource_Code
Their current version is 0.8.1 but the git repository has a debian/watch file so it can be updated with uscan.
The .deb only supplies the systemd unit files but the same effect can be achieved by adding this line to /etc/modules (or in it's own file under /etc/modules-load.d/):
p_lkrg
And also add this line to /etc/sysctl.conf (or in it's own file under /etc/sysctl.conf.d/):
lkrg.clean_message = 0
No need for lkrg.sh or any additions to /etc/sudoers
My post is about integrating the "lkrg" module with DE (Gnome, KDE, XFCE & etc.), not for use on servers and other systems. If you follow your advice, then some of the DE functionality will not work!
Offline
Which functionality will not work?
My suggested configuration files load the module and apply the sysctl setting at boot so they do exactly what your suggested script does.
Brianna Ghey — Rest In Power
Offline
Which functionality will not work?
My suggested configuration files load the module and apply the sysctl setting at boot so they do exactly what your suggested script does.
For example, removable drives (Flash, SD-card) are not mounted when the lkrg module is loaded at system boot, and not when DE starts.
Offline
Well the systemd unit files supplied by the upstream developers load the module at boot (ie, before the DE starts) so I presume that is the expected behaviour.
Brianna Ghey — Rest In Power
Offline
Well the systemd unit files supplied by the upstream developers load the module at boot (ie, before the DE starts) so I presume that is the expected behaviour.
Yes, I agree with you.
Offline
After that, the lkrg module will start running every time a user logs into DE.
What would happen if a user types ctrl-alt-F1 and logged on to a text console? Or logged on from another system via SSH etc? You have to look for ways round any security checks.
Chris
Offline
Eaglet wrote:After that, the lkrg module will start running every time a user logs into DE.
What would happen if a user types ctrl-alt-F1 and logged on to a text console? Or logged on from another system via SSH etc? You have to look for ways round any security checks.
Chris
I am aware of this. That is why I proposed the solution I described.
Offline
Pages: 1