From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9EB911381FA for ; Sat, 29 Dec 2012 13:11:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A17F421C045; Sat, 29 Dec 2012 13:11:07 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 14EDE21C045 for ; Sat, 29 Dec 2012 13:11:06 +0000 (UTC) Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id EB99F33D806 for ; Sat, 29 Dec 2012 13:11:05 +0000 (UTC) Received: by flycatcher.gentoo.org (Postfix, from userid 617) id B863E2171D; Sat, 29 Dec 2012 13:11:04 +0000 (UTC) From: "Sven Vermeulen (swift)" To: gentoo-commits@lists.gentoo.org Reply-To: gentoo-dev@lists.gentoo.org, swift@gentoo.org Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml X-VCS-Repository: gentoo X-VCS-Files: ima-guide.xml X-VCS-Directories: xml/htdocs/proj/en/hardened/integrity/docs X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Message-Id: <20121229131104.B863E2171D@flycatcher.gentoo.org> Date: Sat, 29 Dec 2012 13:11:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c4328d2d-e4a0-497c-943c-279aacb6a90c X-Archives-Hash: 24849e927aaefda840a691279f7fe646 swift 12/12/29 13:11:04 Modified: ima-guide.xml Log: Add info on custom policies Revision Changes Path 1.5 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.4&r2=1.5 Index: ima-guide.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ima-guide.xml 28 Dec 2012 20:09:04 -0000 1.4 +++ ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5 @@ -1,6 +1,6 @@ - + Using Integrity Measurement Architecture in Gentoo @@ -21,8 +21,8 @@ -4 -2012-12-28 +5 +2012-12-29 Purpose of IMA @@ -152,13 +152,14 @@ kernel /boot/vmlinuz root=/dev/vda1 ima_tcb # Only if IMA appraisal is wanted: -kernel /boot/vmlinuz root=/dev/vda1 ima_tcb ima_appraise=enforce ima_appraise_tcb +kernel /boot/vmlinuz root=/dev/vda1 ima_tcb ima_appraise=fix ima_appraise_tcb

-However, at the first boot, you will need to set ima_appraise=fix -instead. Otherwise, your system will surely refuse to boot as no preregistered -values are available. +We currently set ima_appraise=fix because the integrity hashes have not +been stored yet. If we would run with ima_appraise=enforce immediately, +the system would simply refuse to boot properly as all file accesses would be +denied. We will switch to ima_appraise=enforce later.

@@ -195,6 +196,17 @@ /dev/vda1 / ext4 noatime,iversion 1 2 +

+For the root file system, you might want to enable it through the +rootflags kernel parameter as well so that it gets mounted immediately +with i_version support when the Linux kernel mounts the root file system. +

+ +
+# Example kernel line for a GRUB setup
+kernel /boot/kernel root=/dev/vg/root rootflags=i_version dolvm ima_tcb ima_appraise=enforce ima_appraise_tcb
+
+ @@ -310,7 +322,8 @@

Finally, reboot with ima_appraise=enforce. The system should now run with appraisal enabled, causing the system to validate the hash against the stored -value before using it. If it doesn't match, then the file is not loaded. If it +value before using it. If it doesn't match, then the file is not loaded and any +access towards it will be denied with a Permission denied error. If it does match, and afterwards the file is modified, then the new hash is stored as extended attribute.

@@ -477,6 +490,77 @@ +
+How do I load in my own, custom IMA policy? + + +

+You can load in an IMA policy by cat'ing it into +/sys/kernel/security/ima/policy. If the policy is accepted, then +the command will succeed and the policy (pseudo)file will disappear +(this is by design, so that malicious users cannot alter the policy once +loaded). +

+ +

+Below is an example custom policy, taken from the default one with one addition: +ask it not to measure and appraise log files (through the use of the SELinux +logfile attribute). +

+ +
+# Magics can be found in kernel/include/uapi/linux/magic.h
+# Default can be found in security/integrity/ima/ima_policy.c
+# PROC_SUPER_MAGIC = 0x9fa0
+dont_measure fsmagic=0x9fa0
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC = 0x62656572
+dont_measure fsmagic=0x62656572
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC = 0x64626720
+dont_measure fsmagic=0x64626720
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC = 0x01021994
+dont_measure fsmagic=0x01021994
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC = 0x858458f6
+dont_measure fsmagic=0x858458f6
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC = 0x1cd1
+dont_measure fsmagic=0x1cd1
+dont_appraise fsmagic=0x1cd1
+# BINFMTFS_MAGIC = 0x42494e4d
+dont_measure fsmagic=0x42494e4d
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC = 0x73636673
+dont_measure fsmagic=0x73636673
+dont_appraise fsmagic=0x73636673
+# SELINUX_MAGIC = 0xf97cff8c
+dont_measure fsmagic=0xf97cff8c
+dont_appraise fsmagic=0xf97cff8c
+# CGROUP_SUPER_MAGIC = 0x27e0eb
+dont_appraise fsmagic=0x27e0eb
+# Do not measure all types that have the "logfile" SELinux attribute
+dont_measure obj_type=logfile
+dont_appraise obj_type=logfile
+# Remainder of the defaults
+measure func=FILE_MMAP mask=MAY_EXEC
+measure func=BPRM_CHECK mask=MAY_EXEC
+measure func=FILE_CHECK mask=MAY_READ uid=0
+appraise fowner=0
+
+ +

+Make sure no empty lines are in the policy; if not, it will be refused. You can +check the output of dmesg for hints why the policy was refused (it shows +what was accepted, so the next line would be a not-accepted line), or the audit +logs (but you will need to have auditd running) if you get lines such as +audit_printk_skb: XX callbacks suppressed as you then might not have all +the information you need. +

+ + +