From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A53F11381FB for ; Thu, 27 Dec 2012 20:32:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A47D021C27D; Thu, 27 Dec 2012 20:32:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0706D21C28D for ; Thu, 27 Dec 2012 20:32:41 +0000 (UTC) Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id EBBCF33C3B4 for ; Thu, 27 Dec 2012 20:32:40 +0000 (UTC) Received: by flycatcher.gentoo.org (Postfix, from userid 617) id B3A2C2171D; Thu, 27 Dec 2012 20:32:39 +0000 (UTC) From: "Sven Vermeulen (swift)" To: gentoo-commits@lists.gentoo.org Reply-To: gentoo-dev@lists.gentoo.org, swift@gentoo.org Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml X-VCS-Repository: gentoo X-VCS-Files: ima-guide.xml X-VCS-Directories: xml/htdocs/proj/en/hardened/integrity/docs X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Message-Id: <20121227203239.B3A2C2171D@flycatcher.gentoo.org> Date: Thu, 27 Dec 2012 20:32:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 923e8160-321e-427e-a51e-e473d710c0e6 X-Archives-Hash: f1a4dea3dab714fbf23b2847c16db13b swift 12/12/27 20:32:39 Modified: ima-guide.xml Log: Further updates on IMA Revision Changes Path 1.3 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.2&r2=1.3 Index: ima-guide.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- ima-guide.xml 26 Dec 2012 20:07:30 -0000 1.2 +++ ima-guide.xml 27 Dec 2012 20:32:39 -0000 1.3 @@ -1,6 +1,6 @@ - + Using Integrity Measurement Architecture in Gentoo @@ -21,8 +21,8 @@ -2 -2012-12-26 +3 +2012-12-27 Purpose of IMA @@ -48,8 +48,8 @@

-With a pending patch, called the IMA appraisal patch, -the IMA subsystem can even register the measured +Since kernel 3.7, an additional patch, called the IMA appraisal patch, +has been merged within the IMA subsystem so it can even register the measured value as an extended attribute, and after subsequent measurement(s) validate this extended attribute against the measured value and refuse to load the file (or execute the application) if the hash does not match. @@ -81,6 +81,36 @@ +

+The Big Fat Warnings + + +

+Using IMA on your system is currently only recommended for development purposes. +Gentoo Hardened is working on integrating IMA properly, so please be aware +that: +

+ +
    +
  • + users might be able to have your machine run out of (kernel) memory by + having (root-owned) processes generate new files over and over again, which + all get measured and their hashes stored +
    • +
  • + the system might have issues booting if not all files have their hash + registered properly; you are easily warned if this is the case through the + Linux audit subsystem +
    • +
+ +

+We are working on fine-tuning the default policies so that measurements only +occur on legitimate resources. +

+ + +
 @@ -91,10 +121,9 @@

First of all, enable the IMA subsystem in the Linux kernel configuration. -IMA is supported in the main tree since 2.6.30, and it is expected that -the IMA appraisal patch (needed when you want the system to stop if it -detects an off-line modified file) will hit the main tree with Linux -3.7. +IMA is supported in the main tree since 2.6.30, and IMA appraisal (needed when +you want the system to stop if it detects an off-line modified file) is merged +in the main tree since 3.7. 

@@ -104,7 +133,7 @@
 CONFIG_IMA_AUDIT=y
 CONFIG_IMA_LSM_RULES=y
 
-# Only if the IMA appraisal patch is available:
+# Since 3.7:
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_IMA_APPRAISE=y
@@ -122,7 +151,7 @@ 
 kernel /boot/vmlinuz root=/dev/vda1 ima_tcb
 
-# Only if IMA appraisal patch is enabled:
+# Only if IMA appraisal is wanted:
 kernel /boot/vmlinuz root=/dev/vda1 ima_tcb ima_appraise=enforce ima_appraise_tcb
@@ -240,7 +269,7 @@ -This is only applicable when IMA appraisal patch is enabled. +This is only applicable when IMA appraisal is enabled.

@@ -251,13 +280,21 @@

Next, have all files on the file system checked and their value stored as an extended attribute. This is done by reading all files that the default appraisal -policy will check and take action on (which is all root-owned files). +policy will check and take action on (which is all root-owned files). Note that +this can take a long time... 

-~# find / \( -fstype rootfs -o -fstype ext4 -a -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;
+~# find / \( -fstype rootfs -o -fstype ext4 \) -type -uid 0 -exec head -n 1 '{}' > /dev/null \;
+

+You might also need to bind-mount the root file system somewhere (like on +/mnt/gentoo) and do the same for the lib64/rc/init.d +location as well as other locations that contain files but become hidden once +the system mounts another file system on top of it. +

+

When done, you should be able to see the registered hash value as an extended attribute: @@ -281,7 +318,8 @@

You can check if this works by booting with ima_appraise=off and changing the contents of a root-owned file (or the value of the extended attribute) and -reboot with ima_appraise=enforce. +reboot with ima_appraise=enforce, or by directly editing virtual guest +images.

@@ -302,9 +340,23 @@

To sign such immutable files (like kernel modules and application code), you need to use the evmctl command provided by the -sys-admin/ima-evm-utils package: +sys-admin/ima-evm-utils package (currently only available in the +hardened-dev overlay). But first, setup the kernel keyring:

+
+~# ima_id=`keyctl newring _ima @u`
+~# evmctl import /path/to/rsa_public.pem $ima_id
+
+ +

+This allows the IMA subsystem to validate the signature (which is also needed +when initially setting the signature) by loading the public key onto the IMA +keyring. You will need to do this every time the system boots, so it makes +sense to do so within an initramfs (early in the boot process): +

+ + 
 ~# find /lib/modules -name "*.ko" -type f -uid 0 -exec \
    evmctl sign --imasig '{}' /path/to/rsa_private.pem \;
@@ -326,15 +378,101 @@

-To allow the IMA subsystem to validate the signature, you will need to load the -public key onto the IMA keyring. You will need to do this every time the system -boots, so it makes sense to do so within an initramfs (early in the boot -process): +Immutable file support is mainly used to digitally sign the Linux kernel and the +kernel modules and is supported through the EVM technology (which we will +discuss in different documentation) but works well on ELF and other binaries as +well.

-
-~# ima_id=`keyctl newring _ima @u`
-~# evmctl import /path/to/rsa_public.pem $ima_id
+
+
+
+
+
+Asked Questions with Answers
+

+How do I know IMA with appraisal is working?
+
+
+

+This is as simple as finding a file that does not have its hash value stored as
+an extended attribute while ima_appraise is in enforcing mode.
+

+
+
+# getfattr -m . -d /etc/mtab
+getfattr: Removing leading '/' from absolute path names
+# file: etc/mtab
+security.selinux="system_u:object_r:etc_runtime_t"
+
+# cat /etc/mtab
+cat: /etc/mtab: Permission denied
+
+# dmesg | tail -1
+[  256.756465] type=1800 audit(1356637858.947:53): pid=3852 uid=0 auid=0 ses=2
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="missing-hash" comm="cat"
+name="/etc/mtab" dev="dm-2" ino=394144 res=0
+

+
+

+In the above example, the IMA subsystem reports that the /etc/mtab
+file misses its hash value (which should be stored as security.ima) and
+as such is denying the cat application access to it.
+

+
+

+If you can miss the file (such as with /etc/mtab) you can remove it
+and regenerate it if you wish:
+

+
+
+# rm /etc/mtab
+# cat /proc/mounts > /etc/mtab
+# restorecon /etc/mtab # If using SELinux
+# evmctl ima_hash /etc/mtab
+# getfattr -m . -d /etc/mtab
+getfattr: Removing leading '/' from absolute path names
+# file: etc/mtab
+security.ima=0sAUlIU5ffoobWOh0FsSIbgh9Ac8YK
+security.selinux="root:object_r:etc_runtime_t"
+

+
+
+

+

+I was able to edit an 'immutable' file and still run it. How come?
+
+
+

+If you digitally signed a script using evmctl sign --imasig <file>
+<private-key> and then edited the file with vim, then this
+behavior is to be expected. vim removes the original file and replaces it
+with a new one. The newly created file is given an appropriate hash (but no
+digital signature of course) and thus you can still execute it.
+

+
+

+The use of digital signatures is more for kernel modules and ELF binaries. But
+below an example of how it does work - if you edit the file rather than replace
+it.
+

+
+
+# evmctl sign --imasig ./test.sh /root/rsa_private.pem
+# ./test.sh
+Hello World (again)
+# echo "echo \"And now...\"" >> test.sh 
+# ./test.sh
+bash: ./test.sh: Permission denied
+# cat test.sh
+cat: test.sh: Permission denied
+# dmesg | tail -2
+[  643.211490] type=1800 audit(1356639603.315:37): pid=3956 uid=0 auid=0 ses=3
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature"
+comm="bash" name="/bin/test.sh" dev="dm-2" ino=131466 res=0
+[  649.123917] type=1800 audit(1356639609.227:38): pid=3958 uid=0 auid=0 ses=3
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature"
+comm="cat" name="/bin/test.sh" dev="dm-2" ino=131466 res=0