This talk is based on research conducted for our Linux Kernel Runtime Guard (LKRG) project, which is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel. Delivery, storage, and processing of LKRG security events to/on a remote system is a natural extension of LKRG's functionality. Remote logging is also valuable on its own, including for troubleshooting and post-mortem analyses of (non-)security incidents, where the system's local logs might be unavailable, incomplete, or tampered with. In this talk, I start by briefly examining pre-existing remote logging solutions and their suitability. Then I proceed to our own considerations and choices for transport and security protocols and software design, including many of the challenges and trade-offs encountered. Finally, I introduce and demonstrate the initial implementation in LKRG, released in time for the talk, as well as its integration in Rocky Linux via the Security SIG package.
This research and initial implementation have been sponsored by Binarly software supply chain security platform, whereas the public release, Rocky Linux integration, and this talk are due to my work at CIQ, the primary corporate sponsor of Rocky Linux.
openwall
tamaiyutaro
smt7174
8maki
rainerhahnekamp
mokocm
kenjikondobai
tsukasa_ishimaru
dayjournal
pauli
miyakemito
lycorptech_jp
taishin
morganepeng
bcantrill
productmarketing
orderedlist
vanstee
jponch
eileencodes
rasmusluckow
rmw
jcasabona
tammyeverts
sferik
