ProHoster > Блог > labaran intanet > Sakin tsarin LKRG 0.8 don karewa daga amfani da lahani a cikin kernel na Linux.

Sakin tsarin LKRG 0.8 don karewa daga amfani da lahani a cikin kernel na Linux.

Aikin Openwall wallafa kernel module saki LKRG 0.8 (Linux Kernel Runtime Guard), wanda aka tsara don ganowa da toshe hare-hare da keta mutuncin tsarin kwaya. Misali, tsarin zai iya karewa daga canje-canje mara izini ga kernel mai gudana da yunƙurin canza izini na hanyoyin mai amfani (gano amfani da abubuwan amfani). Tsarin ya dace duka don tsara kariya daga abubuwan da aka riga aka sani don kernel Linux (misali, a cikin yanayin da ke da wahala a sabunta kwaya a cikin tsarin), da kuma magance fa'idodin har yanzu rashin lahani. Lambar aikin rarraba ta mai lasisi a ƙarƙashin GPLv2.

Daga cikin canje-canje a cikin sabon sigar:

  • An canza matsayi na aikin LKRG, wanda ba a sake raba shi zuwa wasu sassa daban-daban don duba mutunci da kuma ƙayyade amfani da abubuwan da aka yi amfani da su, amma an gabatar da shi a matsayin cikakken samfurin don gano hare-hare da kuma cin zarafi daban-daban;
  • Ana ba da jituwa tare da kwayayen Linux daga 5.3 zuwa 5.7, haka kuma tare da kernels ɗin da aka haɗa tare da haɓakar GCC mai ƙarfi, ba tare da zaɓuɓɓukan CONFIG_USB da CONFIG_STACKTRACE ko tare da zaɓin CONFIG_UNWINDER_ORC, haka kuma tare da kernels waɗanda ba su da ayyukan LKRG. a raba tare da;
  • Lokacin ginawa, ana duba wasu saitunan CONFIG_* na tilas don samar da saƙon kuskure masu ma'ana maimakon ɓarna;
  • Ƙara goyon baya don jiran aiki (ACPI S3, dakatar da RAM) da kuma barci (S4, dakatarwa zuwa faifai);
  • Ƙara tallafin DKMS zuwa Makefile;
  • An aiwatar da goyan bayan gwaji na 32-bit ARM dandamali (an gwada akan Rasberi Pi 3 Model B). A baya akwai goyon bayan AArch64 (ARM64) an faɗaɗa don samar da dacewa tare da hukumar Rasberi Pi 4;
  • An ƙara sabbin ƙugiya, gami da mai iya () mai kula da kira don mafi kyawun gano abubuwan da ake amfani da su "damar", ba tsari IDs (takardun shaida);
  • An gabatar da sabbin dabaru don gano yunƙurin tserewa ƙuntatawa na sararin suna (misali, daga kwantena Docker);
  • A kan tsarin x86-64, SMAP (Mai Kula da Yanayin Samun Rigakafin Yanayin Supervisor) ana dubawa kuma ana amfani da shi, an tsara shi don toshe damar shiga bayanan sararin samaniya daga lambar gata mai gudana a matakin kernel. An aiwatar da kariyar SMEP (Mai Kula da Yanayin Kisa) a baya;
  • Yayin aiki, ana sanya saitunan LKRG a cikin shafin ƙwaƙwalwar ajiya wanda yawanci ana karantawa kawai;
  • Bayanin shiga wanda zai iya zama mafi amfani ga hare-hare (misali, bayani game da adireshi a cikin kernel) yana iyakance ga yanayin lalata (log_level=4 da sama), wanda aka kashe ta tsohuwa.
  • An ƙara haɓaka bayanan tsarin bin diddigin tsari - a maimakon bishiyar RB guda ɗaya da aka kiyaye ta hanyar shinge guda ɗaya, ana amfani da tebur ɗin zanta na bishiyoyin RB 512 waɗanda aka kiyaye ta 512 makullin karantawa;
  • An aiwatar da yanayin kuma an kunna shi ta tsohuwa, wanda galibi ana bincika amincin masu gano tsari don aikin na yanzu, da kuma zaɓin don ayyukan kunnawa (farkawa). Don sauran ayyuka waɗanda ke cikin yanayin barci ko aiki ba tare da samun dama ga kernel API ɗin da LKRG ke sarrafawa ba, ana yin rajistan sau da yawa.
  • An ƙara sabbin sigogin sysctl da module don daidaitawa LKRG, da kuma sysctl guda biyu don daidaitawa mai sauƙi ta zaɓi daga saiti na saitunan daidaitawa (bayanin martaba) waɗanda masu haɓaka suka shirya;
  • An canza saitunan tsoho don samun daidaiton daidaito tsakanin saurin gano laifuka da tasiri na amsawa, a gefe guda, da tasiri akan aiki da hadarin rashin gaskiya, a daya;
  • An sake fasalin fayil ɗin naúrar tsarin don ɗaukar nauyin LKRG da wuri a cikin taya (za a iya amfani da zaɓin layin umarni na kernel don kashe tsarin);

Yin la'akari da ingantawa da aka tsara a cikin sabon saki, an kiyasta raguwar aikin lokacin amfani da LKRG 0.8 a 2.5% a cikin yanayin tsoho ("nauyi") da 2% a cikin yanayin haske ("haske").

A cikin kwanan nan da aka gudanar bincike tasiri na fakiti don gano rootkits LKRG ya nuna sakamako mafi kyau, gano 8 daga cikin 9 gwajin rootkit masu aiki a matakin kwaya ba tare da tabbataccen ƙarya ba (rootkits Diamorphine, Honey Pot Bears, LilyOfTheValley, Nuk3 Gh0st, Puszek, Reptile, Rootfoo Linux Rootkit da Sutekh an gano su, amma Keysniffer, wanda shine kernel. module, an rasa shi tare da keylogger, ba rootkit a zahiri ba). Don kwatantawa, fakitin AIDE, OSSEC da Rootkit Hunter sun gano 2 cikin 9 rootkits, yayin da Chkrootkit bai gano ko ɗaya ba. Hakanan, LKRG baya goyan bayan gano tushen rootkit ɗin da ke cikin sararin mai amfani, don haka ana samun mafi girman inganci yayin amfani da haɗin AIDE da LKRG, wanda ya ba da damar gano tushen rootkit 14 cikin 15 na kowane iri.

Bugu da ƙari, ana iya lura cewa mai haɓaka rarraba Waccan fara siffata shirye-shiryen da aka yi tare da DKMS don Debian, Whonix, Qubes da Kicksecure, da fakiti don Arch Linux An riga an sabunta shi zuwa sigar 0.8. Hakanan ana samun fakiti tare da LKRG cikin Rashanci Linux ALT и Linux Astra.

Ana yin aikin duba mutunci a cikin LKRG ta hanyar kwatanta ainihin lamba da bayanai na kernel da modules, wasu mahimman tsarin bayanai da saitunan CPU tare da adana hashes ko kwafi na wuraren ƙwaƙwalwar ajiya masu dacewa, tsarin bayanai ko rajista. Ana kunna cak na lokaci-lokaci ta hanyar mai ƙidayar lokaci da kuma lokacin faruwar al'amura daban-daban.

Ƙayyade yiwuwar amfani da cin zarafi da toshe hare-hare ana aiwatar da shi a mataki kafin kernel ya ba da damar samun albarkatu (misali, kafin buɗe fayil), amma bayan aiwatarwa ya sami izini mara izini (misali, canza UID). Lokacin da aka gano halayya mara izini, ana tilastawa matakai su ƙare ta tsohuwa, wanda ya isa ya toshe yawancin fa'ida.

source: budenet.ru

Add a comment