LKRG (Linux Kernel Runtime Guard) is a kernel module that monitors the integrity of kernel structures in real-time, detecting rootkits and privilege escalation exploits. It is developed by the Openwall group, with Adam “pi3” Zabrocki as the lead author.

How Does It Work?

LKRG relies on two main pillars:

  1. Integrity Checking: LKRG periodically (and in response to certain events) calculates checksums of critical kernel memory areas (such as .text, .rodata, and the system call table sys_call_table). If it detects that “read-only” kernel memory has been altered (a typical behavior of rootkits), it reacts immediately (e.g., by panicking the kernel to prevent further damage).

  2. Exploit Detection: Most “local privilege escalation” exploits work by directly modifying the cred structure in kernel memory, for example, changing a process’s UID to 0 (root). LKRG monitors these changes. If a process suddenly gains root privileges without going through standard, authorized paths (like setuid or execve), LKRG blocks the attempt and kills the process.

LKRG vs. Grsecurity/PaX

LKRG is often compared to Grsecurity/PaX. While both enhance security, they work differently:

  • Grsecurity/PaX: A set of patches that modify the kernel source code to make it harder to exploit bugs (prevention). It requires kernel recompilation.
  • LKRG: A loadable kernel module (LKM) that can be added to a standard distribution kernel (e.g., Ubuntu, Fedora) without modification or recompilation. It focuses on detecting an ongoing attack (detection).

Installation (Debian/Ubuntu example)

LKRG is typically not available in standard repositories (except for security-focused distros like Whonix). It is best installed from source using DKMS, which ensures the module is automatically rebuilt when the kernel updates.

  1. Install dependencies:

    sudo apt install git dkms build-essential linux-headers-$(uname -r)

  2. Download source:

    git clone https://github.com/lkrg-org/lkrg.git
cd lkrg

  3. Install and load:

    sudo make
sudo make install
# The module should load automatically. Verify with:
sudo dmesg | grep LKRG

LKRG is lightweight, does not require kernel recompilation, and covers a whole class of exploits — including zero-days that rely on modifying kernel structures. Most useful on internet-facing servers and high-risk systems.