Linux Kernel Runtime Guard (LKRG) [Rig Security]

If you guys are at all concerned about security you might consider installing Linux Kernel Runtime Guard (LKRG). I’ve put together a quick tutorial which worked pretty well for me and has had minimal impact on hashrates. As of this writing, LKRG sits at version 0.9.1. More info about it can be found here:

https://www.openwall.com/lkrg
GitHub - Whonix/lkrg: Linux Kernel Runtime Guard

Start by downloading the git:

git clone https://github.com/openwall/lkrg

And, get the required components:

sudo apt-get install linux-headers-$(uname -r)

You can try building it but you’ll likely get an error if you’re running a Hive OS with certain kernel releases (e.g. 5.4.0).

cd lkrg
sudo make -j8

So, get the Hive OS release info:

uname --kernel-release

 e.g. 5.4.0-hiveos

Next, edit LKRG’s main header file:

cd src
xedit p_lkrg_main.h

And, find this chunk of code around line 119:

#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0) || \
 (LINUX_VERSION_CODE >= KERNEL_VERSION(5,4,118) && LINUX_VERSION_CODE < KERNEL_VERSION(5,5,0)) || \
 (LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,191) && LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0)) || \
 (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,233) && LINUX_VERSION_CODE < KERNEL_VERSION(4,15,0))
#define P_LKRG_UNEXPORTED_MODULE_ADDRESS
#endif

Right after the “#if” add in your kernel release version (e.g. 5.4.0) to make it look something like this:

#if LINUX_VERSION_CODE == KERNEL_VERSION(5,4,0) || LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0) || \
 (LINUX_VERSION_CODE >= KERNEL_VERSION(5,4,118) && LINUX_VERSION_CODE < KERNEL_VERSION(5,5,0)) || \
 (LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,191) && LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0)) || \
 (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,233) && LINUX_VERSION_CODE < KERNEL_VERSION(4,15,0))
#define P_LKRG_UNEXPORTED_MODULE_ADDRESS
#endif

Save and exit xedit. Then run the build command again:

cd ..
sudo make -j8

After the build completes successfully, install it:

sudo make install

And, finally set it to load with boot:

xedit /hive/etc/crontab.root

Add this line at the end and save it:

@reboot sleep 60; sudo systemctl start lkrg; sudo systemctl enable lkrg.service;

You might also consider blocking modules:

sudo sysctl -w lkrg.block_modules=1

But be careful playing with some of the settings (e.g. lkrg.profile_enforce), as some of them may cause frequent kernel panics which lead to crashes.

This topic was automatically closed 416 days after the last reply. New replies are no longer allowed.