本帖最后由 Dizziness2929 于 2024-4-29 19:34 编辑
我想引用一句话:有些人是觉得自己懂了某种编程方法,就觉得自己明白了整个计算机,可实际上呢?
请好好阅读LKRG配置文件和文档,否则我会将你后续的一切回答都视为骚扰信息而拒绝回复。
实际上在使用LKRG时,是从最宽松一步一步调到最严格,没有多少人会用“默认配置”,这也是LKRG项目组不希望看到的。
https://github.com/lkrg-org/lkrg ... ts/bootup/lkrg.conf
Quick choice of a pre-defined profile controlling whether and how LKRG acts
# on detected integrity violations and attacks. Allowed values are 0 (log and
# accept), 1 (selective), 2 (strict), and 3 (paranoid). Additionally, this
# setting will read as 9 (custom) if an underlying setting is changed directly
# (potentially deviating from any of the profiles).
#
# Higher-numbered enforcement profiles provide higher likelihood of mitigating
# a compromise or stopping an attack, but also a higher risk of interfering
# with normal system behavior and to a worse extent in case of false positives.
#
# lkrg.profile_enforce=0 can be used for safe testing of LKRG, where any
# detected violations and attacks are logged but no enforcement is performed.
# It can also be useful where LKRG is meant to act as a sensor within a larger
# security monitoring and response setup (e.g., network-wide).
#
# lkrg.profile_enforce=1 performs selective enforcement - log only for kernel
# integrity violations, varying effective actions ranging from killing a task
# to triggering a kernel panic for other types of violations and attacks.
# This mode is extremely unlikely to panic the kernel on a false positive.
#
# lkrg.profile_enforce=2 performs strict enforcement - varying effective
# actions for all types of violations and attacks, including triggering a
# kernel panic for kernel integrity violations.
#
# lkrg.profile_enforce=3 performs the most paranoid enforcement - kernel panic
# for all types of violations and attacks.
#
# Choosing an enforcement profile sets the following underlying settings, which
# are described further below: kint_enforce, pint_enforce, pcfi_enforce,
# umh_enforce, smep_enforce, and smap_enforce.
#
# Also relevant is the kernel's kernel.panic sysctl and panic parameter, which
# makes the system reboot on kernel panic. For example, kernel.panic=60 in
# /etc/sysctl.conf or in a file under the /etc/sysctl.d directory, or panic=60
# on the kernel's command-line, will make the system reboot in 60 seconds after
# a panic. This provides a brief opportunity to read the panic message on the
# console yet makes an unattended server try to come back up on its own.
#
# Profiles are currently available via sysctl only - there are no corresponding
# module parameters. However, the individual underlying settings, which are
# described further below, do have their corresponding module parameters.
#
|
楼主: Dizziness2929
楼主
发表于 2024-4-29 19:06:53
