Using LKRG and tirdad on Debian Buster

General Tor and Anonymity Talk
1

I decided to try both the Linux Kernel Runtime Guard (LKRG) and tirdad on a regular Debian 10 (Buster) system
LKRG and tirdad both installed from Whonix repository
So how do you know they work?
Good question.
For LKRG, you will see in your logs (journalctl -xe, journalctl etc) that on boot, right after the initial startup of systemd, LKRG starts. It has an orange text so you see it tell you that it loaded successfully.
For tirdad, there is an initial message of “Starting tirdad” right after your Login service starts. A few lines later: [>] installing tirdad hook succeeded.
LKRG runs quietly in the background and sometimes you see messages in journal. An example, I was playing around with the framebuffer device, trying new settings, omitting others, and LKRG knew about it. It informed me that the checksum for the space in the memory that the device module should occupy is now different. It also lists the name of the module in question and the 2 checksums so you can see the difference. In my case, I was the cause, so no big deal. But if a malicious module were to try and execute, not only does LKRG see it, but it tells you that you now have an extra module loaded compared to the number it calculated your kernel to have, and it also kills it so it cannot harm your system. Very useful package.
Tirdad stays active after initial execution (check with a systemctl status tirdad and you will see “active”)
This one is harder to see in action; if you have a packet analyzer like wireshark, it is very easy.
Wireshark by default uses “relative sequence numbers” and you need the real number so go to: Edit->Preferences->select TCP from “Protocols” list and uncheck the box that says ‘Relative Sequence numbers’ Press Apply, then OK.
Now for an actual packet, select it from the capture scroll, and use the mouse to go to the TCP section. You will see a parameter called Sequence Number. Pay attention to that number for the Client Hello and write it down. Many thousands of packets later, take another sample of an initial Client Hello and write it down. Have Wireshark collecting your packets for an entire session. When done, save the pcap file and search those two numbers. As long as they were indeed the Initial sequence number, they should not repeat at all.
No errors recorded for either package, and they are a welcome addition to your security arsenal.

3 Likes