* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2012-12-27 20:32 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-27 20:32 UTC (permalink / raw
To: gentoo-commits
swift 12/12/27 20:32:39
Modified: ima-guide.xml
Log:
Further updates on IMA
Revision Changes Path
1.3 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.2&r2=1.3
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- ima-guide.xml 26 Dec 2012 20:07:30 -0000 1.2
+++ ima-guide.xml 27 Dec 2012 20:32:39 -0000 1.3
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.2 2012/12/26 20:07:30 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.3 2012/12/27 20:32:39 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>2</version>
-<date>2012-12-26</date>
+<version>3</version>
+<date>2012-12-27</date>
<chapter>
<title>Purpose of IMA</title>
@@ -48,8 +48,8 @@
</p>
<p>
-With a pending patch, called the <e>IMA appraisal patch</e>,
-the IMA subsystem can even register the measured
+Since kernel 3.7, an additional patch, called the <e>IMA appraisal patch</e>,
+has been merged within the IMA subsystem so it can even register the measured
value as an extended attribute, and after subsequent measurement(s)
validate this extended attribute against the measured value and refuse
to load the file (or execute the application) if the hash does not match.
@@ -81,6 +81,36 @@
</body>
</section>
+<section>
+<title>The Big Fat Warnings</title>
+<body>
+
+<p>
+Using IMA on your system is currently only recommended for development purposes.
+Gentoo Hardened is working on integrating IMA properly, so please be aware
+that:
+</p>
+
+<ul>
+ <li>
+ users might be able to have your machine run out of (kernel) memory by
+ having (root-owned) processes generate new files over and over again, which
+ all get measured and their hashes stored
+ </li>
+ <li>
+ the system might have issues booting if not all files have their hash
+ registered properly; you are easily warned if this is the case through the
+ Linux audit subsystem
+ </li>
+</ul>
+
+<p>
+We are working on fine-tuning the default policies so that measurements only
+occur on legitimate resources.
+</p>
+
+</body>
+</section>
</chapter>
<chapter>
@@ -91,10 +121,9 @@
<p>
First of all, enable the IMA subsystem in the Linux kernel configuration.
-IMA is supported in the main tree since 2.6.30, and it is expected that
-the IMA appraisal patch (needed when you want the system to stop if it
-detects an off-line modified file) will hit the main tree with Linux
-3.7.
+IMA is supported in the main tree since 2.6.30, and IMA appraisal (needed when
+you want the system to stop if it detects an off-line modified file) is merged
+in the main tree since 3.7.
</p>
<pre caption="Linux kernel configuration for IMA">
@@ -104,7 +133,7 @@
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
-<comment># Only if the IMA appraisal patch is available:</comment>
+<comment># Since 3.7:</comment>
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_IMA_APPRAISE=y
</pre>
@@ -122,7 +151,7 @@
<pre caption="Bootloader configuration to enable IMA TCB policy">
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i>
-<comment># Only if IMA appraisal patch is enabled:</comment>
+<comment># Only if IMA appraisal is wanted:</comment>
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i>
</pre>
@@ -240,7 +269,7 @@
<body>
<note>
-This is only applicable when IMA appraisal patch is enabled.
+This is only applicable when IMA appraisal is enabled.
</note>
<p>
@@ -251,13 +280,21 @@
<p>
Next, have all files on the file system checked and their value stored as an
extended attribute. This is done by reading all files that the default appraisal
-policy will check and take action on (which is all root-owned files).
+policy will check and take action on (which is all root-owned files). Note that
+this can take a long time...
</p>
<pre caption="Registering all files">
-~# <i>find / \( -fstype rootfs -o -fstype ext4 -a -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
+~# <i>find / \( -fstype rootfs -o -fstype ext4 \) -type -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
</pre>
+<p>
+You might also need to bind-mount the root file system somewhere (like on
+<path>/mnt/gentoo</path>) and do the same for the <path>lib64/rc/init.d</path>
+location as well as other locations that contain files but become hidden once
+the system mounts another file system on top of it.
+</p>
+
<p>
When done, you should be able to see the registered hash value as an extended
attribute:
@@ -281,7 +318,8 @@
<p>
You can check if this works by booting with <c>ima_appraise=off</c> and changing
the contents of a root-owned file (or the value of the extended attribute) and
-reboot with <c>ima_appraise=enforce</c>.
+reboot with <c>ima_appraise=enforce</c>, or by directly editing virtual guest
+images.
</p>
</body>
@@ -302,9 +340,23 @@
<p>
To sign such immutable files (like kernel modules and application code), you
need to use the <c>evmctl</c> command provided by the
-<path>sys-admin/ima-evm-utils</path> package:
+<path>sys-admin/ima-evm-utils</path> package (currently only available in the
+hardened-dev overlay). But first, setup the kernel keyring:
</p>
+<pre caption="Loading the public key in the IMA keyring">
+~# <i>ima_id=`keyctl newring _ima @u`</i>
+~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i>
+</pre>
+
+<p>
+This allows the IMA subsystem to validate the signature (which is also needed
+when initially setting the signature) by loading the public key onto the IMA
+keyring. You will need to do this every time the system boots, so it makes
+sense to do so within an initramfs (early in the boot process):
+</p>
+
+
<pre caption="Signing files to mark them as immutable">
~# <i>find /lib/modules -name "*.ko" -type f -uid 0 -exec \
evmctl sign --imasig '{}' /path/to/rsa_private.pem \;</i>
@@ -326,15 +378,101 @@
</pre>
<p>
-To allow the IMA subsystem to validate the signature, you will need to load the
-public key onto the IMA keyring. You will need to do this every time the system
-boots, so it makes sense to do so within an initramfs (early in the boot
-process):
+Immutable file support is mainly used to digitally sign the Linux kernel and the
+kernel modules and is supported through the EVM technology (which we will
+discuss in different documentation) but works well on ELF and other binaries as
+well.
</p>
-<pre caption="Loading the public key in the IMA keyring">
-~# <i>ima_id=`keyctl newring _ima @u`</i>
-~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i>
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Asked Questions with Answers</title>
+<section>
+<title>How do I know IMA with appraisal is working?</title>
+<body>
+
+<p>
+This is as simple as finding a file that does not have its hash value stored as
+an extended attribute while ima_appraise is in enforcing mode.
+</p>
+
+<pre caption="Checking if IMA with appraisal is working">
+# <i>getfattr -m . -d /etc/mtab</i>
+getfattr: Removing leading '/' from absolute path names
+# file: etc/mtab
+security.selinux="system_u:object_r:etc_runtime_t"
+
+# <i>cat /etc/mtab</i>
+cat: /etc/mtab: Permission denied
+
+# <i>dmesg | tail -1</i>
+[ 256.756465] type=1800 audit(1356637858.947:53): pid=3852 uid=0 auid=0 ses=2
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="missing-hash" comm="cat"
+name="/etc/mtab" dev="dm-2" ino=394144 res=0
+</pre>
+
+<p>
+In the above example, the IMA subsystem reports that the <path>/etc/mtab</path>
+file misses its hash value (which should be stored as <e>security.ima</e>) and
+as such is denying the <c>cat</c> application access to it.
+</p>
+
+<p>
+If you can miss the file (such as with <path>/etc/mtab</path>) you can remove it
+and regenerate it if you wish:
+</p>
+
+<pre caption="Regenerating file">
+# <i>rm /etc/mtab</i>
+# <i>cat /proc/mounts > /etc/mtab</i>
+# <i>restorecon /etc/mtab</i> <comment># If using SELinux</comment>
+# <i>evmctl ima_hash /etc/mtab</i>
+# <i>getfattr -m . -d /etc/mtab</i>
+getfattr: Removing leading '/' from absolute path names
+# file: etc/mtab
+security.ima=0sAUlIU5ffoobWOh0FsSIbgh9Ac8YK
+security.selinux="root:object_r:etc_runtime_t"
+</pre>
+
+</body>
+</section>
+<section>
+<title>I was able to edit an 'immutable' file and still run it. How come?</title>
+<body>
+
+<p>
+If you digitally signed a script using <c>evmctl sign --imasig <file>
+<private-key></c> and then edited the file with <c>vim</c>, then this
+behavior is to be expected. <c>vim</c> removes the original file and replaces it
+with a new one. The newly created file is given an appropriate hash (but no
+digital signature of course) and thus you can still execute it.
+</p>
+
+<p>
+The use of digital signatures is more for kernel modules and ELF binaries. But
+below an example of how it does work - if you edit the file rather than replace
+it.
+</p>
+
+<pre caption="Example of digitally signed file">
+# <i>evmctl sign --imasig ./test.sh /root/rsa_private.pem</i>
+# <i>./test.sh</i>
+Hello World (again)
+# echo "echo \"And now...\"" >> test.sh
+# <i>./test.sh</i>
+bash: ./test.sh: Permission denied
+# <i>cat test.sh</i>
+cat: test.sh: Permission denied
+# <i>dmesg | tail -2</i>
+[ 643.211490] type=1800 audit(1356639603.315:37): pid=3956 uid=0 auid=0 ses=3
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature"
+comm="bash" name="/bin/test.sh" dev="dm-2" ino=131466 res=0
+[ 649.123917] type=1800 audit(1356639609.227:38): pid=3958 uid=0 auid=0 ses=3
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature"
+comm="cat" name="/bin/test.sh" dev="dm-2" ino=131466 res=0
</pre>
</body>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2013-01-19 21:02 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2013-01-19 21:02 UTC (permalink / raw
To: gentoo-commits
swift 13/01/19 21:02:18
Modified: ima-guide.xml
Log:
Add NFS file system to ignore appraisal/measurements on
Revision Changes Path
1.10 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.10&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.10&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.9&r2=1.10
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- ima-guide.xml 6 Jan 2013 18:45:41 -0000 1.9
+++ ima-guide.xml 19 Jan 2013 21:02:18 -0000 1.10
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.9 2013/01/06 18:45:41 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.10 2013/01/19 21:02:18 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>9</version>
-<date>2013-01-06</date>
+<version>10</version>
+<date>2013-01-19</date>
<chapter>
<title>Purpose of IMA</title>
@@ -543,6 +543,9 @@
<comment># SELINUX_MAGIC = 0xf97cff8c</comment>
dont_measure fsmagic=0xf97cff8c
dont_appraise fsmagic=0xf97cff8c
+<comment># NFS_MAGIC = 0x6969</comment>
+dont_measure fsmagic=0x6969
+dont_appraise fsmagic=0x6969
<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
dont_appraise fsmagic=0x27e0eb
<comment># Some defaults for measurement</comment>
@@ -611,7 +614,7 @@
#!/sbin/runscript
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.9 2013/01/06 18:45:41 swift Exp $
+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.10 2013/01/19 21:02:18 swift Exp $
description="Load in custom IMA policy"
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2013-01-06 18:45 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2013-01-06 18:45 UTC (permalink / raw
To: gentoo-commits
swift 13/01/06 18:45:41
Modified: ima-guide.xml
Log:
Correct find command
Revision Changes Path
1.9 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.9&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.9&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.8&r2=1.9
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- ima-guide.xml 4 Jan 2013 18:39:13 -0000 1.8
+++ ima-guide.xml 6 Jan 2013 18:45:41 -0000 1.9
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.8 2013/01/04 18:39:13 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.9 2013/01/06 18:45:41 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>8</version>
-<date>2013-01-04</date>
+<version>9</version>
+<date>2013-01-06</date>
<chapter>
<title>Purpose of IMA</title>
@@ -234,7 +234,7 @@
</p>
<pre caption="Registering all files">
-~# <i>find / \( -fstype rootfs -o -fstype ext4 \) -type -uid 0 -exec evmctl ima_hash '{}' > /dev/null \;</i>
+~# <i>find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec evmctl ima_hash '{}' > /dev/null \;</i>
</pre>
<p>
@@ -611,7 +611,7 @@
#!/sbin/runscript
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.8 2013/01/04 18:39:13 swift Exp $
+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.9 2013/01/06 18:45:41 swift Exp $
description="Load in custom IMA policy"
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2013-01-04 18:39 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2013-01-04 18:39 UTC (permalink / raw
To: gentoo-commits
swift 13/01/04 18:39:13
Modified: ima-guide.xml
Log:
Add reference to patch needed for custom IMA policies
Revision Changes Path
1.8 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.8&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.8&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.7&r2=1.8
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ima-guide.xml 29 Dec 2012 21:31:17 -0000 1.7
+++ ima-guide.xml 4 Jan 2013 18:39:13 -0000 1.8
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.7 2012/12/29 21:31:17 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.8 2013/01/04 18:39:13 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>7</version>
-<date>2012-12-29</date>
+<version>8</version>
+<date>2013-01-04</date>
<chapter>
<title>Purpose of IMA</title>
@@ -545,6 +545,9 @@
dont_appraise fsmagic=0xf97cff8c
<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
dont_appraise fsmagic=0x27e0eb
+<comment># Some defaults for measurement</comment>
+measure func=FILE_MMAP mask=MAY_EXEC
+measure func=BPRM_CHECK mask=MAY_EXEC
<comment># Do not measure all types that have the "logfile" SELinux attribute
# You can use seinfo -alogfile -x to get an overview of all these types</comment>
dont_measure obj_type=initrc_var_log_t
@@ -576,12 +579,18 @@
dont_appraise obj_type=fsadm_log_t
dont_appraise obj_type=auditd_log_t
<comment># Remainder of the defaults</comment>
-measure func=FILE_MMAP mask=MAY_EXEC
-measure func=BPRM_CHECK mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
appraise fowner=0
</pre>
+<note>
+A small bug in the 3.7 kernel series requires a small <uri
+link="https://sourceforge.net/mailarchive/message.php?msg_id=30306475">patch</uri>
+to be applied if you are planning on using a custom policy based on SELinux rules
+(actually any LSM-implemented security subsystem rule).
+</note>
+
+
<p>
Make sure no empty lines are in the policy; if not, it will be refused. You can
check the output of <c>dmesg</c> for hints why the policy was refused (it shows
@@ -602,7 +611,7 @@
#!/sbin/runscript
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.7 2012/12/29 21:31:17 swift Exp $
+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.8 2013/01/04 18:39:13 swift Exp $
description="Load in custom IMA policy"
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2012-12-29 18:18 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-29 18:18 UTC (permalink / raw
To: gentoo-commits
swift 12/12/29 18:18:27
Modified: ima-guide.xml
Log:
Add SELinux types to not measure/appraise
Revision Changes Path
1.6 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.5&r2=1.6
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5
+++ ima-guide.xml 29 Dec 2012 18:18:27 -0000 1.6
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,7 +21,7 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>5</version>
+<version>6</version>
<date>2012-12-29</date>
<chapter>
@@ -540,9 +540,36 @@
dont_appraise fsmagic=0xf97cff8c
<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
dont_appraise fsmagic=0x27e0eb
-<comment># Do not measure all types that have the "logfile" SELinux attribute</comment>
-dont_measure obj_type=logfile
-dont_appraise obj_type=logfile
+<comment># Do not measure all types that have the "logfile" SELinux attribute
+# You can use seinfo -alogfile -x to get an overview of all these types</comment>
+dont_measure obj_type=initrc_var_log_t
+dont_measure obj_type=nscd_log_t
+dont_measure obj_type=auth_cache_t
+dont_measure obj_type=cron_log_t
+dont_measure obj_type=faillog_t
+dont_measure obj_type=lastlog_t
+dont_measure obj_type=puppet_log_t
+dont_measure obj_type=var_log_t
+dont_measure obj_type=wtmp_t
+dont_measure obj_type=portage_log_t
+dont_measure obj_type=getty_log_t
+dont_measure obj_type=rsync_log_t
+dont_measure obj_type=fsadm_log_t
+dont_measure obj_type=auditd_log_t
+dont_appraise obj_type=initrc_var_log_t
+dont_appraise obj_type=nscd_log_t
+dont_appraise obj_type=auth_cache_t
+dont_appraise obj_type=cron_log_t
+dont_appraise obj_type=faillog_t
+dont_appraise obj_type=lastlog_t
+dont_appraise obj_type=puppet_log_t
+dont_appraise obj_type=var_log_t
+dont_appraise obj_type=wtmp_t
+dont_appraise obj_type=portage_log_t
+dont_appraise obj_type=getty_log_t
+dont_appraise obj_type=rsync_log_t
+dont_appraise obj_type=fsadm_log_t
+dont_appraise obj_type=auditd_log_t
<comment># Remainder of the defaults</comment>
measure func=FILE_MMAP mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC
@@ -559,6 +586,31 @@
the information you need.
</p>
+<p>
+Have the policy be loaded in as soon as possible, either in an initramfs or
+early in the boot process through an init script in the <e>sysinit</e> runlevel.
+I keep my policy in <path>/etc/ima</path> and use the following small init
+script to load it early on:
+</p>
+
+<pre caption="Init script to load a custom ima policy">
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $
+
+description="Load in custom IMA policy"
+
+depend() {
+ need sysfs
+}
+
+start() {
+ ebegin "Loading custom IMA policy"
+ cat /etc/ima/policy.conf > /sys/kernel/security/ima/policy
+ eend $?
+}
+</pre>
</body>
</section>
</chapter>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2012-12-29 13:11 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-29 13:11 UTC (permalink / raw
To: gentoo-commits
swift 12/12/29 13:11:04
Modified: ima-guide.xml
Log:
Add info on custom policies
Revision Changes Path
1.5 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.4&r2=1.5
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- ima-guide.xml 28 Dec 2012 20:09:04 -0000 1.4
+++ ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.4 2012/12/28 20:09:04 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>4</version>
-<date>2012-12-28</date>
+<version>5</version>
+<date>2012-12-29</date>
<chapter>
<title>Purpose of IMA</title>
@@ -152,13 +152,14 @@
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i>
<comment># Only if IMA appraisal is wanted:</comment>
-kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i>
+kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=fix ima_appraise_tcb</i>
</pre>
<p>
-However, at the first boot, you will need to set <c>ima_appraise=fix</c>
-instead. Otherwise, your system will surely refuse to boot as no preregistered
-values are available.
+We currently set <c>ima_appraise=fix</c> because the integrity hashes have not
+been stored yet. If we would run with <c>ima_appraise=enforce</c> immediately,
+the system would simply refuse to boot properly as all file accesses would be
+denied. We will switch to <c>ima_appraise=enforce</c> later.
</p>
</body>
@@ -195,6 +196,17 @@
/dev/vda1 / ext4 noatime<i>,iversion</i> 1 2
</pre>
+<p>
+For the root file system, you might want to enable it through the
+<c>rootflags</c> kernel parameter as well so that it gets mounted immediately
+with i_version support when the Linux kernel mounts the root file system.
+</p>
+
+<pre caption="Using rootflags in the bootloader configuration">
+<comment># Example kernel line for a GRUB setup</comment>
+kernel /boot/kernel root=/dev/vg/root rootflags=i_version dolvm ima_tcb ima_appraise=enforce ima_appraise_tcb
+</pre>
+
</body>
</section>
</chapter>
@@ -310,7 +322,8 @@
<p>
Finally, reboot with <c>ima_appraise=enforce</c>. The system should now run with
appraisal enabled, causing the system to validate the hash against the stored
-value before using it. If it doesn't match, then the file is not loaded. If it
+value before using it. If it doesn't match, then the file is not loaded and any
+access towards it will be denied with a <e>Permission denied</e> error. If it
does match, and afterwards the file is modified, then the new hash is stored as
extended attribute.
</p>
@@ -477,6 +490,77 @@
</body>
</section>
+<section>
+<title>How do I load in my own, custom IMA policy?</title>
+<body>
+
+<p>
+You can load in an IMA policy by <c>cat</c>'ing it into
+<path>/sys/kernel/security/ima/policy</path>. If the policy is accepted, then
+the command will succeed and the <path>policy</path> (pseudo)file will disappear
+(this is by design, so that malicious users cannot alter the policy once
+loaded).
+</p>
+
+<p>
+Below is an example custom policy, taken from the default one with one addition:
+ask it not to measure and appraise log files (through the use of the SELinux
+<c>logfile</c> attribute).
+</p>
+
+<pre caption="Example IMA custom policy">
+<comment># Magics can be found in kernel/include/uapi/linux/magic.h
+# Default can be found in security/integrity/ima/ima_policy.c
+# PROC_SUPER_MAGIC = 0x9fa0</comment>
+dont_measure fsmagic=0x9fa0
+dont_appraise fsmagic=0x9fa0
+<comment># SYSFS_MAGIC = 0x62656572</comment>
+dont_measure fsmagic=0x62656572
+dont_appraise fsmagic=0x62656572
+<comment># DEBUGFS_MAGIC = 0x64626720</comment>
+dont_measure fsmagic=0x64626720
+dont_appraise fsmagic=0x64626720
+<comment># TMPFS_MAGIC = 0x01021994</comment>
+dont_measure fsmagic=0x01021994
+dont_appraise fsmagic=0x01021994
+<comment># RAMFS_MAGIC = 0x858458f6</comment>
+dont_measure fsmagic=0x858458f6
+dont_appraise fsmagic=0x858458f6
+<comment># DEVPTS_SUPER_MAGIC = 0x1cd1</comment>
+dont_measure fsmagic=0x1cd1
+dont_appraise fsmagic=0x1cd1
+<comment># BINFMTFS_MAGIC = 0x42494e4d</comment>
+dont_measure fsmagic=0x42494e4d
+dont_appraise fsmagic=0x42494e4d
+<comment># SECURITYFS_MAGIC = 0x73636673</comment>
+dont_measure fsmagic=0x73636673
+dont_appraise fsmagic=0x73636673
+<comment># SELINUX_MAGIC = 0xf97cff8c</comment>
+dont_measure fsmagic=0xf97cff8c
+dont_appraise fsmagic=0xf97cff8c
+<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
+dont_appraise fsmagic=0x27e0eb
+<comment># Do not measure all types that have the "logfile" SELinux attribute</comment>
+dont_measure obj_type=logfile
+dont_appraise obj_type=logfile
+<comment># Remainder of the defaults</comment>
+measure func=FILE_MMAP mask=MAY_EXEC
+measure func=BPRM_CHECK mask=MAY_EXEC
+measure func=FILE_CHECK mask=MAY_READ uid=0
+appraise fowner=0
+</pre>
+
+<p>
+Make sure no empty lines are in the policy; if not, it will be refused. You can
+check the output of <c>dmesg</c> for hints why the policy was refused (it shows
+what was accepted, so the next line would be a not-accepted line), or the audit
+logs (but you will need to have <c>auditd</c> running) if you get lines such as
+<e>audit_printk_skb: XX callbacks suppressed</e> as you then might not have all
+the information you need.
+</p>
+
+</body>
+</section>
</chapter>
<!-- Damn, need access to a TPM-powered system myself to try this out
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2012-12-28 20:09 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-28 20:09 UTC (permalink / raw
To: gentoo-commits
swift 12/12/28 20:09:04
Modified: ima-guide.xml
Log:
Drop TPM stuff for as long as I do not have a TPM-enabled system that I can take ownership of
Revision Changes Path
1.4 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.4&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.4&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.3&r2=1.4
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ima-guide.xml 27 Dec 2012 20:32:39 -0000 1.3
+++ ima-guide.xml 28 Dec 2012 20:09:04 -0000 1.4
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.3 2012/12/27 20:32:39 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.4 2012/12/28 20:09:04 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>3</version>
-<date>2012-12-27</date>
+<version>4</version>
+<date>2012-12-28</date>
<chapter>
<title>Purpose of IMA</title>
@@ -479,6 +479,7 @@
</section>
</chapter>
+<!-- Damn, need access to a TPM-powered system myself to try this out
<chapter>
<title>Working with a TPM</title>
<section>
@@ -538,5 +539,5 @@
</body>
</section>
</chapter>
-
+-->
</guide>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2012-12-26 20:07 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-26 20:07 UTC (permalink / raw
To: gentoo-commits
swift 12/12/26 20:07:30
Modified: ima-guide.xml
Log:
Update command for IMA appraisal first run
Revision Changes Path
1.2 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.1&r2=1.2
Index: ima-guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ima-guide.xml 1 Oct 2012 20:22:35 -0000 1.1
+++ ima-guide.xml 26 Dec 2012 20:07:30 -0000 1.2
@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.1 2012/10/01 20:22:35 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.2 2012/12/26 20:07:30 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
@@ -21,8 +21,8 @@
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
-<version>1</version>
-<date>2012-10-01</date>
+<version>2</version>
+<date>2012-12-26</date>
<chapter>
<title>Purpose of IMA</title>
@@ -255,7 +255,7 @@
</p>
<pre caption="Registering all files">
-~# <i>find / \( -fstype rootfs -o ext4 -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
+~# <i>find / \( -fstype rootfs -o -fstype ext4 -a -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
</pre>
<p>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
@ 2012-10-01 20:22 Sven Vermeulen (swift)
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen (swift) @ 2012-10-01 20:22 UTC (permalink / raw
To: gentoo-commits
swift 12/10/01 20:22:35
Added: ima-guide.xml
Log:
Initial draft for IMA guide
Revision Changes Path
1.1 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.1&content-type=text/plain
Index: ima-guide.xml
===================================================================
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.1 2012/10/01 20:22:35 swift Exp $ -->
<guide lang="en">
<title>Using Integrity Measurement Architecture in Gentoo</title>
<author title="Author">
<mail link="swift"/>
</author>
<abstract>
The Linux IMA subsystem is responsible for calculating the hashes
of files and programs before they are loaded, and supports reporting
on the hashes and validate if they adhere to a predefined list. In this
guide, we introduce this technology and how it can be enabled in Gentoo
Linux.
</abstract>
<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
<license version="3.0" />
<version>1</version>
<date>2012-10-01</date>
<chapter>
<title>Purpose of IMA</title>
<section>
<title>Introduction</title>
<body>
<p>
The Linux IMA subsystem introduces hooks within the Linux kernel to
support measuring the integrity of files that are loaded (including
application code) before it is executed or mmap()ed to memory. The
measured value (hash) is then registered in a log that can be consulted
by administrators.
</p>
<p>
To support proven integrity of the files, the IMA subsystem can interact
with the TPM chip within the system to protect the registered hashes from
tampering by a rogue administrator or application.
The IMA subsystem, as already supported by the Linux kernel, supports
<e>reporting</e> on the hashes of files and commands ran by privileged
accounts (and more if you create your own measurement policies).
</p>
<p>
With a pending patch, called the <e>IMA appraisal patch</e>,
the IMA subsystem can even register the measured
value as an extended attribute, and after subsequent measurement(s)
validate this extended attribute against the measured value and refuse
to load the file (or execute the application) if the hash does not match.
In that case, the IMA subsystem allows files and applications to be loaded
if the hashes match (and will save the updated hash if the file is modified)
but refuse to load it if it doesn't. This provides some protection against
offline tampering of the files.
</p>
<p>
Protection of the extended attribute itself is handled by EVM, which is
discussed in a separate document.
</p>
</body>
</section>
<section>
<title>Trusted Computing Base</title>
<body>
<p>
The Trusted Computing Base defines a set of rules that a properly,
integrity-protected system should adhere to. The Linux IMA subsystem supports
this set of rules through the <e>ima_tcb</e> policy. This policy roughly states
that all files read by root (applications, but also regular files, libraries,
...) need to be measured and registered against the security log, as well as
application binaries when ran (or mmap()ed for execution) by any user.
</p>
</body>
</section>
</chapter>
<chapter>
<title>Setting up IMA</title>
<section>
<title>Kernel configuration</title>
<body>
<p>
First of all, enable the IMA subsystem in the Linux kernel configuration.
IMA is supported in the main tree since 2.6.30, and it is expected that
the IMA appraisal patch (needed when you want the system to stop if it
detects an off-line modified file) will hit the main tree with Linux
3.7.
</p>
<pre caption="Linux kernel configuration for IMA">
CONFIG_INTEGRITY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
<comment># Only if the IMA appraisal patch is available:</comment>
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_IMA_APPRAISE=y
</pre>
</body>
</section>
<section>
<title>Bootloader configuration</title>
<body>
<p>
Next, configure the bootloader to enable the TCB policy:
</p>
<pre caption="Bootloader configuration to enable IMA TCB policy">
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i>
<comment># Only if IMA appraisal patch is enabled:</comment>
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i>
</pre>
<p>
However, at the first boot, you will need to set <c>ima_appraise=fix</c>
instead. Otherwise, your system will surely refuse to boot as no preregistered
values are available.
</p>
</body>
</section>
<section>
<title>Enable security file system</title>
<body>
<p>
Finally, have the security file system mounted (if this is not already the
case):
</p>
<pre caption="Mounting the security file system">
~# <i>mount | grep securityfs</i>
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
</pre>
</body>
</section>
<section>
<title>Enable i_version mount option</title>
<body>
<p>
Mount all file systems with the <e>i_version</e> support (which, sadly, means
you need to mount it with <c>iversion</c> mount option - without the
underscore). This is needed for IMA to detect changes on files, allowing it to
remeasure the hash of the file.
</p>
<pre caption="Enabling i_version on all mounts">
<comment># Example for a single partition, in /etc/fstab:</comment>
/dev/vda1 / ext4 noatime<i>,iversion</i> 1 2
</pre>
</body>
</section>
</chapter>
<chapter>
<title>Using the IMA subsystem</title>
<section>
<title>Reading the integrity log</title>
<body>
<p>
To read the integrity log as registered by the IMA subsystem, look at the
<path>/sys/kernel/security/ima/ascii_runtime_measurements</path> file:
</p>
<pre caption="Reading the ascii_runtime_measurements file">
~# <i>head /sys/kernel/security/ima/ascii_runtime_measurements</i>
10 0000000000000000000000000000000000000000 ima 0000000000000000000000000000000000000000 boot_aggregate
10 dc99efa590c706a43792618dde88c590a6942ec7 ima fe932380326d7c51d17bac45f5d1c9f576d19f6c /sbin/init
10 fcaa7505fae70096cb9b6a8ec06ec6400b756aa2 ima 0ddd922ae7f5a6dcf788438db1fe47e9a0641e6d ld-2.15.so
10 501975777299919e49aac14c262d6388eae38e79 ima 8d848950517879e0dd77dc9602cad294b454b05a ld.so.cache
10 195830b88844db79ff994c57022e94da416c486c ima 28c4c3a750f5679b9092b2bb2f98c5f745e422f7 libselinux.so.1
10 770cd9400624a5678da388545df1297e182ccd10 ima 03db374e3cedeaf987db096a034bccb5c5bcf3d0 libc-2.15.so
10 82d48ec5fc4344a18a9d17ec1bf1bd8511f99fe6 ima e801e50a5f3ce7acc6e39b1133bce04120c46c35 libpcre.so.1.0.1
10 81ee4b0bbf4f5b464135e3e3d79b2777bceaa236 ima 869231d2fe1afe45ab284adc0efe5a237509bc7f libdl-2.15.so
10 67f5923749dfa266721ee0d6ad038102297c1170 ima e5f8003967fd31f295a115e1d682dd0169b34592 config
10 24894f13a9def8dd2f18838f04fde4becc184fc3 ima 032663452ea268aa1528bd466dda3738bb59a8f2 libsepol.so.1
# <i>tail /sys/kernel/security/ima/ascii_runtime_measurements</i>
10 d326b31af052ccb96366e4eceaf34f72450dad4b ima def5be24075b501b43ad864bd7141e9db1c55611 /bin/getfattr
10 3059f6b0f617256e42617c9e09ad13f6a1eb8f24 ima 7bb939b0ef153dce06098fd5460e31e6052af2a8 libattr.so.1.1.0
10 8c4a121f6e06255e5a8cf3cb94f526412273d661 ima 66abbade137338df340767b0f54a5da6b132e4c6 /usr/bin/touch
10 a8cf6c5215be6e6a2de12f50f09b8dbb12af04c8 ima f0cf26d5095d4b19134d8aaf71763bc8f53cd6a9 /usr/bin/zgrep
10 60fd90cb2d9581feb241a165f2f83e03abe46c24 ima 8c72350a7d0774c25f8b36b49327d874dec19ea5 test.te
10 e359faf89a81e105d3d470d6a513b3ee201376de ima 6b4aa6f895bcdd34ace49879f9a25c1c12197317 /usr/bin/tail
10 4a91a89db743704b7afe599528156823b48f192b ima 34228b5c748b13b6d51168c88b0ddf10467a5979 mtab
10 5c4c4ffec7487c7fb07a9946238efc3c2957075e ima 41ec2f49dd9c025bcf2810f17bf69de80d45bec1 user_u
10 0000000000000000000000000000000000000000 ima 0000000000000000000000000000000000000000 utmp
10 6582662a747e7bcf051a6b83367c69c854d5d414 ima 38ccbf9330666831e0b4d9dafa2d5364a3449e1d /usr/bin/du
</pre>
<p>
What you see here are:
</p>
<ul>
<li>
The PCR (Process Control Register) in which the values are registered. This
only makes sense if you have a TPM chip in use.
</li>
<li>
The hash of the hash of the file + filename (padded with null characters to
the length of 255 bytes)
</li>
<li>
The subsystem that registered the integrity value (ima in our case)
</li>
<li>
The hash of the file content
</li>
</ul>
<p>
Unless you have asked for a different hashing algorithm, the default one will be
used which is the SHA-1 hashing algorithm.
</p>
</body>
</section>
<section>
<title>Registering the file hashes for the system</title>
<body>
<note>
This is only applicable when IMA appraisal patch is enabled.
</note>
<p>
First boot with the <c>ima_appraise=fix</c> boot option. This will allow the
system to boot up even when no (or wrong) hashes are registered.
</p>
<p>
Next, have all files on the file system checked and their value stored as an
extended attribute. This is done by reading all files that the default appraisal
policy will check and take action on (which is all root-owned files).
</p>
<pre caption="Registering all files">
~# <i>find / \( -fstype rootfs -o ext4 -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
</pre>
<p>
When done, you should be able to see the registered hash value as an extended
attribute:
</p>
<pre caption="Viewing the extended attributes of a file">
~# <i>getfattr -m . -d /boot/grub/grub.conf</i>
# file: grub.conf
security.selinux="root:object_r:boot_t"
security.ima="76a0d787be14d84dfe3cf3930ac3da38bb389464"
</pre>
<p>
Finally, reboot with <c>ima_appraise=enforce</c>. The system should now run with
appraisal enabled, causing the system to validate the hash against the stored
value before using it. If it doesn't match, then the file is not loaded. If it
does match, and afterwards the file is modified, then the new hash is stored as
extended attribute.
</p>
<p>
You can check if this works by booting with <c>ima_appraise=off</c> and changing
the contents of a root-owned file (or the value of the extended attribute) and
reboot with <c>ima_appraise=enforce</c>.
</p>
</body>
</section>
<section>
<title>Using immutable files</title>
<body>
<p>
The IMA appraisal code also supports immutable files. In this case, an RSA-key
based signature is taken of the file and stored in the extended attribute. The
private key is used to sign the files, whereas the public key is used to verify
the signature. This provides additional protection against tampering as the
private key does not need to be available on the system while its running (only
during the initial marking).
</p>
<p>
To sign such immutable files (like kernel modules and application code), you
need to use the <c>evmctl</c> command provided by the
<path>sys-admin/ima-evm-utils</path> package:
</p>
<pre caption="Signing files to mark them as immutable">
~# <i>find /lib/modules -name "*.ko" -type f -uid 0 -exec \
evmctl sign --imasig '{}' /path/to/rsa_private.pem \;</i>
</pre>
<p>
This private key can be generated first using <c>openssl</c>:
</p>
<pre caption="Generating a public/private key pair">
<comment># Unencrypted private key (non-protected):</comment>
~# <i>openssl genrsa -out rsa_private.pem 1024</i>
<comment># Or encrypted private key (password-protected):</comment>
~# <i>openssl genrsa -des3 -out rsa_private.pem 1024</i>
<comment># Public key:</comment>
~# <i>openssl rsa -pubout -in rsa_private.pem -out rsa_public.pem</i>
</pre>
<p>
To allow the IMA subsystem to validate the signature, you will need to load the
public key onto the IMA keyring. You will need to do this every time the system
boots, so it makes sense to do so within an initramfs (early in the boot
process):
</p>
<pre caption="Loading the public key in the IMA keyring">
~# <i>ima_id=`keyctl newring _ima @u`</i>
~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i>
</pre>
</body>
</section>
</chapter>
<chapter>
<title>Working with a TPM</title>
<section>
<title>Introduction</title>
<body>
<p>
When your system supports TPM, the measured hash values can be registered
against the TPM to provide protection against tampering. In that case, the list
provided by <path>ascii_runtime_measurements</path> can be validated against the
TPM chip. This is done by <e>extending</e> a register inside the TPM chip with
the measured value.
</p>
<p>
When a register is extended, its value (which is a hash) is appended with the
value that it is extended with. Then, this new code is hashed again and stored
in the register. Because of this operation, the entire measured list can be
replayed by a third party and the final result validated against the value in
the TPM chip. If it matches, then the list surely comes from this system, and
hasn't been tampered by a rogue administrator or application.
</p>
</body>
</section>
<section>
<title>Taking ownership</title>
<body>
<p>
Before you can use the TPM on your device, you need to take ownership. This will
allow you to set a specific password (to manage the TPM) and is needed for the
TPM to generate specific keys it'll use later.
</p>
<p>
To take ownership, first install the <path>app-crypt/tpm-tools</path> package.
Then start the <e>tcsd</e> service and execute <c>tpm_takeownership -u -z</c>.
</p>
<pre caption="Taking ownership of the TPM">
~# <i>emerge app-crypt/tpm-tools</i>
~# <i>rc-service tcsd start</i>
~# <i>tpm_takeownership -u -z</i>
</pre>
</body>
</section>
<section>
<title>Validating the measured list</title>
<body>
<p>
$$$TODO
</p>
</body>
</section>
</chapter>
</guide>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-01-19 21:02 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-27 20:32 [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml Sven Vermeulen (swift)
-- strict thread matches above, loose matches on Subject: below --
2013-01-19 21:02 Sven Vermeulen (swift)
2013-01-06 18:45 Sven Vermeulen (swift)
2013-01-04 18:39 Sven Vermeulen (swift)
2012-12-29 18:18 Sven Vermeulen (swift)
2012-12-29 13:11 Sven Vermeulen (swift)
2012-12-28 20:09 Sven Vermeulen (swift)
2012-12-26 20:07 Sven Vermeulen (swift)
2012-10-01 20:22 Sven Vermeulen (swift)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox