jyteh - 2011-06-07

Dear Omen and users,

Thank you so much for your help given so far. I had been successful in compiling the Enforcer into the Debian Etch 4.1 r9 with kernel 2.6.5.

Note that  "zcat /proc/config.gz " gave :


Now I am trying to test if the enforcer worked in triggering a log in the kernel if file integrity compromised.

Chronology of events:

1. Hence, I ran make && make install at the top level enforcer directory and compilation was flawless.

2. Created /etc/enforcer/enforcer.db.entries that has a single line like this:
action=log /root/test

3. ran # enforcer-admin builddb and database was created.

jyteh:/etc/enforcer# ls -lth
total 12K
-rw-r-r- 1 root root 194 2011-06-01 18:55 enforcer.db
-rw-r-r- 1 root root 719 2011-06-01 18:55 helper.conf
-rw-r-r- 1 root root  22 2011-06-01 18:54 enforcer.db.entries

4. Modified test file (sha1 confirmed differs) and tailed kern.log but unable to find something like this :

el: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found:    1078860942.634554050
kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built.  Your system may be compromised.

5.  Thinking problem was due to helper program, I had created a helper.conf file in /etc/enforcer by using helper.conf.sample.

6. Also added enforcer.debug_level=1 enforcer.check_signature=no to GRUB menu.lst boot loader.

7. Configured sysv-rc-conf to start init.d.sh at Debian init levels 1-5, with 'enforcer-helper start'

8. Rebooted several times ( each time I checked that I had followed steps 1 to 7 above)  and read all system related logs in /var/logs but still no enforcer response from kern.log

My questions:
a. Greatly appreciate if someone can point out what went wrong or any steps missed out?
b. Does the enforcer need ALL of these to function:

i) tpm chip/emulator (I installed a TPM Emulator v 0.20- Mario Strasser's)
ii) Encrypted Loopback Filesystem

I suspect both are needed before kern.log gave an output since:

jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper
helper: usage
helper (start|stop|force-stop|tpm-lock)
jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper start
helper: unable to open '/etc/enforcer/tcpa.pw' for reading.

Thanks in advance for any kind feedback.