Linux Kernel Runtime Guard (LKRG) 0.9.8 Released with Major Improvements

We'll explain the significance of LKRG in more depth, explore its remote logging functionality, and discuss the significant changes introduced in LKRG 0.9.8.

What Is the Significance of LKRG?

LKRG was a project of Adam 'pii3' Zabrocki that was brought under the Openwall umbrella and released to the public in 2018. It performs runtime integrity checks on the Linux kernel to detect security vulnerabilities exploited against the kernel. LKRG tries to detect and respond quickly to unauthorized kernel modifications or changes in credentials for running system processes. This protects against exploits gaining unauthorized access to root through kernel vulnerabilities. LKM Rootkits, Docker containers, and other threats are all included in the module, enabling it to combat most existing and future Linux kernel vulnerabilities. LKRG offers security by diversity but without the drawbacks of running an unusual OS.

LKRG works best on systems that are unlikely to be rebooted to a new kernel or live-patched whenever a kernel vulnerability is found. It provides robust protection from kernel vulnerability exploits without requiring much effort by the user. There is no need to configure a security policy, etc. LKRG is especially beneficial for systems not expected to be updated consistently.

The module can be installed easily in various distros such as RHEL, CentOS, Ubuntu, Whonix, Debian, Rocky Linux, and AlmaLinux.

Remote Logging with LKRG

Remote logging is critical for troubleshooting incidents, centralizing processing for SIEM and EDR, and compliance. While there are pre-existing Linux kernel remote logging solutions, LKRG is an excellent option for Linux kernel remote logging. It offers transport security, provides long-term encryption and authentication of messages and blobs, and is not too susceptible to DoS attacks.

LKRG also offers:

• Reliable delivery
• Congestion control
• Message prioritization
• Roaming support 
• Message encapsulation

According to security specialist Solar Designer, "Delivery, storage, and
processing of LKRG security events to/on a remote system is a natural
extension of LKRG's functionality. Remote logging is also valuable on
its own, including for troubleshooting and post-mortem analyses of
(non-)security incidents, where the system's local logs might be
unavailable, incomplete, or tampered with."

For more technical details, I encourage you to explore Solar Designer's recent presentation on Linux kernel remote logging: approaches, challenges, implementation.

What's New in LKRG 0.9.8?

According to Openwall, the following significant changes have been made in LKRG 0.9.8:

• Added optional remote kernel message logging, including the sending component in LKRG itself and the receiving/logging counterpart in a userspace daemon, as well as additional utilities to generate a public/secret keypair and to process the logs and documentation in LOGGING.
• Added support for RHEL 8.8+.
• More complete documentation of the build requirements.
• The most notable change in this release is the addition of built-in remote kernel message logging capabilities. 

You can get LKRG 0.9.8 here.

Our Final Thoughts on LKRG 0.9.8

LKRG 0.9.8 is an exciting release for those looking to enhance kernel security, especially if they are not engaging in frequent updates. We encourage you to check it out and share your thoughts on X @lnxsec!

That being said, keeping your systems patched against the latest security flaws is another essential defense mechanism against attacks exploiting known vulnerabilities.

Be sure to subscribe to our newsletters for the latest updates, news, and advisories impacting your security as a Linux user.