4. Modified test file (sha1 confirmed differs) and tailed kern.log but unable to find something like this :
el: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found: 1078860942.634554050
kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built. Your system may be compromised.
5. Thinking problem was due to helper program, I had created a helper.conf file in /etc/enforcer by using helper.conf.sample.
6. Also added enforcer.debug_level=1 enforcer.check_signature=no to GRUB menu.lst boot loader.
7. Configured sysv-rc-conf to start init.d.sh at Debian init levels 1-5, with 'enforcer-helper start'
8. Rebooted several times ( each time I checked that I had followed steps 1 to 7 above) and read all system related logs in /var/logs but still no enforcer response from kern.log
My questions:
a. Greatly appreciate if someone can point out what went wrong or any steps missed out?
b. Does the enforcer need ALL of these to function:
i) tpm chip/emulator (I installed a TPM Emulator v 0.20- Mario Strasser's)
ii) Encrypted Loopback Filesystem
I suspect both are needed before kern.log gave an output since:
jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper
helper: usage
helper (start|stop|force-stop|tpm-lock)
jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper start
helper: unable to open '/etc/enforcer/tcpa.pw' for reading.
Thanks in advance for any kind feedback.
rgds
jyteh
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear Omen and users,
Thank you so much for your help given so far. I had been successful in compiling the Enforcer into the Debian Etch 4.1 r9 with kernel 2.6.5.
Note that "zcat /proc/config.gz " gave :
CONFIG_SECURITY_ENFORCER=y
CONFIG_ENFORCER_TCPA=y
CONFIG_ENFORCER_DEBUG=y
CONFIG_ENFORCER_DEBUG_TIME is not set
Now I am trying to test if the enforcer worked in triggering a log in the kernel if file integrity compromised.
Chronology of events:
1. Hence, I ran make && make install at the top level enforcer directory and compilation was flawless.
2. Created /etc/enforcer/enforcer.db.entries that has a single line like this:
action=log /root/test
3. ran # enforcer-admin builddb and database was created.
jyteh:/etc/enforcer# ls -lth
total 12K
-rw-r-r- 1 root root 194 2011-06-01 18:55 enforcer.db
-rw-r-r- 1 root root 719 2011-06-01 18:55 helper.conf
-rw-r-r- 1 root root 22 2011-06-01 18:54 enforcer.db.entries
jyteh:/etc/enforcer#
4. Modified test file (sha1 confirmed differs) and tailed kern.log but unable to find something like this :
el: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found: 1078860942.634554050
kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built. Your system may be compromised.
5. Thinking problem was due to helper program, I had created a helper.conf file in /etc/enforcer by using helper.conf.sample.
6. Also added enforcer.debug_level=1 enforcer.check_signature=no to GRUB menu.lst boot loader.
7. Configured sysv-rc-conf to start init.d.sh at Debian init levels 1-5, with 'enforcer-helper start'
8. Rebooted several times ( each time I checked that I had followed steps 1 to 7 above) and read all system related logs in /var/logs but still no enforcer response from kern.log
My questions:
a. Greatly appreciate if someone can point out what went wrong or any steps missed out?
b. Does the enforcer need ALL of these to function:
i) tpm chip/emulator (I installed a TPM Emulator v 0.20- Mario Strasser's)
ii) Encrypted Loopback Filesystem
I suspect both are needed before kern.log gave an output since:
jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper
helper: usage
helper (start|stop|force-stop|tpm-lock)
jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper start
helper: unable to open '/etc/enforcer/tcpa.pw' for reading.
Thanks in advance for any kind feedback.
rgds
jyteh