linux-ima-user Mailing List for Integrity Measurement Architecture (IMA) (Page 42)

Brought to you by: dsafford, kds_etu, mzohar

linux-ima-user — Q&A for users of IMA

This list is closed, nobody may subscribe to it.

2007	Jan	Feb (10)	Mar (26)	Apr (8)	May (3)	Jun	Jul (26)	Aug (10)	Sep	Oct	Nov (2)	Dec (4)
2008	Jan	Feb (13)	Mar (4)	Apr (3)	May (5)	Jun	Jul (7)	Aug (8)	Sep (5)	Oct (16)	Nov	Dec (6)
2009	Jan (2)	Feb	Mar (3)	Apr	May	Jun (19)	Jul (4)	Aug	Sep (13)	Oct (10)	Nov (12)	Dec (2)
2010	Jan	Feb (2)	Mar (17)	Apr (28)	May	Jun (17)	Jul (11)	Aug (12)	Sep (2)	Oct	Nov	Dec (1)
2011	Jan	Feb	Mar (20)	Apr (10)	May (1)	Jun	Jul	Aug (15)	Sep (14)	Oct (2)	Nov	Dec
2012	Jan (1)	Feb (53)	Mar (15)	Apr (4)	May (2)	Jun (13)	Jul	Aug	Sep (12)	Oct	Nov	Dec (6)
2013	Jan (7)	Feb (8)	Mar (4)	Apr (5)	May	Jun	Jul	Aug (5)	Sep (6)	Oct	Nov (5)	Dec (8)
2014	Jan (17)	Feb (24)	Mar (8)	Apr (7)	May (18)	Jun (15)	Jul (5)	Aug (2)	Sep (49)	Oct (28)	Nov (7)	Dec (30)
2015	Jan (40)	Feb	Mar (9)	Apr (2)	May (9)	Jun (31)	Jul (33)	Aug (5)	Sep (20)	Oct	Nov (3)	Dec (12)
2016	Jan (14)	Feb (29)	Mar (10)	Apr (4)	May (4)	Jun	Jul (5)	Aug (19)	Sep (21)	Oct (2)	Nov (36)	Dec (30)
2017	Jan (101)	Feb (12)	Mar (7)	Apr (2)	May (29)	Jun (22)	Jul (7)	Aug (93)	Sep (27)	Oct (39)	Nov	Dec

Flat | Threaded

<< < 1 .. 40 41 42 43 44 .. 56 > >> (Page 42 of 56)

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

From: Roberto S. <rob...@po...> - 2012-02-15 17:14:48

On 02/15/2012 05:55 PM, Gustavo Sverzut Barbieri wrote:
> On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu<rob...@po...>  wrote:
>>
>> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>>
>>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<rob...@po...>    wrote:
>>>>
>>>> The new function ima_setup() loads an IMA custom policy from a file in the
>>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>>>
>>>
>>> isn't /etc/sysconfig too specific to Fedora?
>>>
>>
>> Hi Gustavo
>>
>> probably yes. I see the code in 'src/locale-setup.c' where the
>> the configuration directory depends on the target distribution.
>> I can implement something like that in my patch.
>
> Can't IMA be changed? Lennart seems to be pushing for distribution
> independent location files. If you can get IMA people to agree on
> something, just use this one instead.
>
> People that use IMA with systemd must use this location. Eventually
> this will happen with every configuration file we support.
>

The location of the policy file is not IMA dependent. I chose that
because it seemed to me the right place where to put this file.
So, i can easily modify the location to be distribution independent
but i don't known which directory would be appropriate.
Any proposal?

Regards

Roberto Sassu


>
>>> Also, I certainly have no such things in my system and see no point in
>>> calling ima_setup() on it. Or even compiling the source file in such
>>> case.
>>>
>>
>> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
>> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
>> definition to yes. Instead, the code can be enabled for example by
>> adding the parameter '--enable_ima' in the configure script.
>
> okay.
>
> --
> Gustavo Sverzut Barbieri
> http://profusion.mobi embedded systems
> --------------------------------------
> MSN: bar...@gm...
> Skype: gsbarbieri
> Mobile: +55 (19) 9225-2202

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

From: Gustavo S. B. <bar...@pr...> - 2012-02-15 16:55:50

On Wed, Feb 15, 2012 at 2:26 PM, Roberto Sassu <rob...@po...> wrote:
>
> On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
>>
>> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<rob...@po...>  wrote:
>>>
>>> The new function ima_setup() loads an IMA custom policy from a file in the
>>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>>
>>
>> isn't /etc/sysconfig too specific to Fedora?
>>
>
> Hi Gustavo
>
> probably yes. I see the code in 'src/locale-setup.c' where the
> the configuration directory depends on the target distribution.
> I can implement something like that in my patch.

Can't IMA be changed? Lennart seems to be pushing for distribution
independent location files. If you can get IMA people to agree on
something, just use this one instead.

People that use IMA with systemd must use this location. Eventually
this will happen with every configuration file we support.


>> Also, I certainly have no such things in my system and see no point in
>> calling ima_setup() on it. Or even compiling the source file in such
>> case.
>>
>
> Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
> statement, as it happens for SELinux. However an issue is that there is no a specific package for IMA that can be checked to set the HAVE_IMA
> definition to yes. Instead, the code can be enabled for example by
> adding the parameter '--enable_ima' in the configure script.

okay.

--
Gustavo Sverzut Barbieri
http://profusion.mobi embedded systems
--------------------------------------
MSN: bar...@gm...
Skype: gsbarbieri
Mobile: +55 (19) 9225-2202

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

From: Roberto S. <rob...@po...> - 2012-02-15 16:29:05

On 02/15/2012 03:30 PM, Gustavo Sverzut Barbieri wrote:
> On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu<rob...@po...>  wrote:
>> The new function ima_setup() loads an IMA custom policy from a file in the
>> default location '/etc/sysconfig/ima-policy', if present, and writes it to
>
> isn't /etc/sysconfig too specific to Fedora?
>

Hi Gustavo

probably yes. I see the code in 'src/locale-setup.c' where the
the configuration directory depends on the target distribution.
I can implement something like that in my patch.

> Also, I certainly have no such things in my system and see no point in
> calling ima_setup() on it. Or even compiling the source file in such
> case.
>

Ok. I can enclose the code in ima-setup.c within an 'ifdef HAVE_IMA'
statement, as it happens for SELinux. However an issue is that there is 
no a specific package for IMA that can be checked to set the HAVE_IMA
definition to yes. Instead, the code can be enabled for example by
adding the parameter '--enable_ima' in the configure script.

Regards

Roberto Sassu

Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies

From: Gustavo S. B. <bar...@pr...> - 2012-02-15 14:30:40

On Wed, Feb 15, 2012 at 11:23 AM, Roberto Sassu <rob...@po...> wrote:
> The new function ima_setup() loads an IMA custom policy from a file in the
> default location '/etc/sysconfig/ima-policy', if present, and writes it to

isn't /etc/sysconfig too specific to Fedora?

Also, I certainly have no such things in my system and see no point in
calling ima_setup() on it. Or even compiling the source file in such
case.

-- 
Gustavo Sverzut Barbieri
http://profusion.mobi embedded systems
--------------------------------------
MSN: bar...@gm...
Skype: gsbarbieri
Mobile: +55 (19) 9225-2202

[Linux-ima-user] [PATCH 2/2] main: added support for loading IMA custom policies

From: Roberto S. <rob...@po...> - 2012-02-15 13:27:22

Attachments: smime.p7s

The new function ima_setup() loads an IMA custom policy from a file in the
default location '/etc/sysconfig/ima-policy', if present, and writes it to
the path 'ima/policy' in the security filesystem. This function is executed
at early stage in order to avoid that some file operations are not measured
by IMA and it is placed after the initialization of SELinux because IMA
needs the latter (or other security modules) to understand LSM-specific
rules.

Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
 Makefile.am     |    1 +
 src/ima-setup.c |  114 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/ima-setup.h |   29 ++++++++++++++
 src/main.c      |    6 ++-
 4 files changed, 149 insertions(+), 1 deletions(-)
 create mode 100644 src/ima-setup.c
 create mode 100644 src/ima-setup.h

diff --git a/Makefile.am b/Makefile.am
index d3d0ed8..7476caa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -515,6 +515,7 @@ libsystemd_core_la_SOURCES = \
 	src/mount-setup.c \
 	src/hostname-setup.c \
 	src/selinux-setup.c \
+	src/ima-setup.c \
 	src/loopback-setup.c \
 	src/kmod-setup.c \
 	src/locale-setup.c \
diff --git a/src/ima-setup.c b/src/ima-setup.c
new file mode 100644
index 0000000..45afc0c
--- /dev/null
+++ b/src/ima-setup.c
@@ -0,0 +1,114 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2010 Lennart Poettering
+  Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+                                     TORSEC group -- http://security.polito.it
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+#include "ima-setup.h"
+#include "mount-setup.h"
+#include "macro.h"
+#include "util.h"
+#include "log.h"
+#include "label.h"
+
+#define IMA_SECFS_DIR SECURITYFS_MNTPOINT "/ima"
+#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
+#define IMA_POLICY_PATH "/etc/sysconfig/ima-policy"
+
+int ima_setup(void) {
+       struct stat st;
+       ssize_t policy_size = 0, written = 0;
+       char *policy;
+       int policyfd = -1, imafd = -1;
+       int result = 0;
+
+#ifndef HAVE_SELINUX
+       /* Mount the securityfs filesystem */
+       mount_setup_early();
+#endif
+
+       if (stat(IMA_POLICY_PATH, &st) == -1)
+               return 0;
+
+       policy_size = st.st_size;
+       if (stat(IMA_SECFS_DIR, &st) == -1) {
+               log_debug("IMA support is disabled in the kernel, ignoring.");
+               return 0;
+       }
+
+       if (stat(IMA_SECFS_POLICY, &st) == -1) {
+               log_error("Another IMA custom policy has already been loaded, "
+                         "ignoring.");
+               return 0;
+       }
+
+       policyfd = open(IMA_POLICY_PATH, O_RDONLY);
+       if (policyfd < 0) {
+               log_error("Failed to open the IMA custom policy file %s (%s), "
+                         "ignoring.", IMA_POLICY_PATH, strerror(errno));
+               return 0;
+       }
+
+       imafd = open(IMA_SECFS_POLICY, O_WRONLY);
+       if (imafd < 0) {
+               log_error("Failed to open the IMA kernel interface %s (%s), "
+                         "ignoring.", IMA_SECFS_POLICY, strerror(errno));
+               goto out;
+       }
+
+       policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
+       if (policy == NULL) {
+               log_error("mmap() failed (%s), freezing", strerror(errno));
+               result = -errno;
+               goto out;
+       }
+
+       while(written < policy_size) {
+               ssize_t len = write(imafd, policy + written,
+                                   policy_size - written);
+               if (len <= 0) {
+                         log_error("Failed to load the IMA custom policy "
+                                   "file %s (%s), ignoring.", IMA_POLICY_PATH,
+                                   strerror(errno));
+                         goto out_mmap;
+               }
+               written += len;
+       }
+
+       log_info("Successfully loaded the IMA custom policy %s.",
+                IMA_POLICY_PATH);
+out_mmap:
+       munmap(policy, policy_size);
+out:
+       if (policyfd >= 0)
+                close_nointr_nofail(policyfd);
+       if (imafd >= 0)
+                close_nointr_nofail(imafd);
+       return result;
+}
diff --git a/src/ima-setup.h b/src/ima-setup.h
new file mode 100644
index 0000000..7d677cf
--- /dev/null
+++ b/src/ima-setup.h
@@ -0,0 +1,29 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#ifndef fooimasetuphfoo
+#define fooimasetuphfoo
+
+/***
+  This file is part of systemd.
+
+  Copyright 2010 Lennart Poettering
+  Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+                                     TORSEC group -- http://security.polito.it
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int ima_setup(void);
+
+#endif
diff --git a/src/main.c b/src/main.c
index ed317b4..7ae8841 100644
--- a/src/main.c
+++ b/src/main.c
@@ -41,6 +41,7 @@
 #include "kmod-setup.h"
 #include "locale-setup.h"
 #include "selinux-setup.h"
+#include "ima-setup.h"
 #include "machine-id-setup.h"
 #include "load-fragment.h"
 #include "fdset.h"
@@ -1203,9 +1204,12 @@ int main(int argc, char *argv[]) {
                 arg_running_as = MANAGER_SYSTEM;
                 log_set_target(detect_container(NULL) > 0 ? LOG_TARGET_CONSOLE : LOG_TARGET_JOURNAL_OR_KMSG);
 
-                if (!is_reexec)
+                if (!is_reexec) {
                         if (selinux_setup(&loaded_policy) < 0)
                                 goto finish;
+                        if (ima_setup() < 0)
+                                goto finish;
+                }
 
                 log_open();
 
-- 
1.7.7.6

[Linux-ima-user] [PATCH 1/2] systemd: mount the securityfs filesystem at early stage

From: Roberto S. <rob...@po...> - 2012-02-15 13:26:51

Attachments: smime.p7s

The mount of the securityfs filesystem is now performed in the main systemd
executable as it is used by IMA to provide the interface for loading custom
policies. The unit file 'units/sys-kernel-security.mount' has been removed
because it is not longer necessary.

Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
 Makefile.am                     |    3 ---
 src/mount-setup.c               |    6 ++++--
 src/mount-setup.h               |    2 ++
 units/sys-kernel-security.mount |   17 -----------------
 4 files changed, 6 insertions(+), 22 deletions(-)
 delete mode 100644 units/sys-kernel-security.mount

diff --git a/Makefile.am b/Makefile.am
index 983ea16..d3d0ed8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -291,7 +291,6 @@ dist_systemunit_DATA = \
 	units/dev-mqueue.mount \
 	units/sys-kernel-config.mount \
 	units/sys-kernel-debug.mount \
-	units/sys-kernel-security.mount \
 	units/sys-fs-fuse-connections.mount \
 	units/var-run.mount \
 	units/media.mount \
@@ -2374,7 +2373,6 @@ systemd-install-data-hook:
 			dev-mqueue.mount \
 			sys-kernel-config.mount \
 			sys-kernel-debug.mount \
-			sys-kernel-security.mount \
 			sys-fs-fuse-connections.mount \
 			systemd-modules-load.service \
 			systemd-tmpfiles-setup.service \
@@ -2384,7 +2382,6 @@ systemd-install-data-hook:
 		$(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \
 		$(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \
 		$(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \
-		$(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \
 		$(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
 		$(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
 		$(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \
diff --git a/src/mount-setup.c b/src/mount-setup.c
index 7c14ea8..62bf743 100644
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
 } MountPoint;
 
 /* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
 
 static const MountPoint mount_table[] = {
         { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", SECURITYFS_MNTPOINT,    "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
         { "tmpfs",    "/dev/shm",               "tmpfs",    "mode=1777",         MS_NOSUID|MS_NODEV,           true },
         { "devpts",   "/dev/pts",               "devpts",   "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
         { "tmpfs",    "/run",                   "tmpfs",    "mode=755",          MS_NOSUID|MS_NODEV, true },
diff --git a/src/mount-setup.h b/src/mount-setup.h
index c1a27ba..df6f518 100644
--- a/src/mount-setup.h
+++ b/src/mount-setup.h
@@ -24,6 +24,8 @@
 
 #include <stdbool.h>
 
+#define SECURITYFS_MNTPOINT "/sys/kernel/security"
+
 int mount_setup_early(void);
 
 int mount_setup(bool loaded_policy);
diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
deleted file mode 100644
index 80cd761..0000000
--- a/units/sys-kernel-security.mount
+++ /dev/null
@@ -1,17 +0,0 @@
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU General Public License as published by
-#  the Free Software Foundation; either version 2 of the License, or
-#  (at your option) any later version.
-
-[Unit]
-Description=Security File System
-DefaultDependencies=no
-ConditionPathExists=/sys/kernel/security
-Before=sysinit.target
-
-[Mount]
-What=securityfs
-Where=/sys/kernel/security
-Type=securityfs
-- 
1.7.7.6

Re: [Linux-ima-user] syslog and ima measurements

From: Peter M. <pm...@go...> - 2012-02-13 05:22:18

On Sun, Feb 12, 2012 at 7:34 PM, Mimi Zohar <zo...@li...> wrote:
> On Sun, 2012-02-12 at 16:52 -0800, Peter Moody wrote:
>> On Sun, Feb 12, 2012 at 4:42 PM, Mimi Zohar <zo...@li...> wrote:
>> > On Sun, 2012-02-12 at 10:40 -0800, Peter Moody wrote:
>> >> On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote:
>> >> > On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote:
>> >> >> I'm probably missing something obvious, but I'm interested in getting
>> >> >> the contents of /sys/kernel/security/ima/ascii_runtime_measurements
>> >> >> into syslog. Is there an easy way to do this or do I have to write
>> >> >> something to do it manually?
>> >> >
>> >> > The measurements are currently only added to the measurement list.  With
>> >> > IMA-appraisal, invalid measurements are audited.
>> >>
>> >> Is auditing the measurements something that you would consider
>> >> worthwhile or if I want to do this should I find some syslog-y way of
>> >> tailing the measurements file and sending them to syslog myself?
>> >
>> > The IMA measurement list is meant for remote attestation and would be
>> > included in the TPM quote.  Could you please explain why you'd want
>> > these measurements written to syslog?
>>
>> I'd like to see the measurements on my central log-catcher(s).
>
> I kind of got that, but I'm asking why would you want all these
> measurements cluttering syslog?  You do realize the default policy
> measures all executable files, all files mmaped executable and all files
> opened by root?
>
> If you're only interested in recording the existing measurements at a
> specific point in time, then redirect the output.  If by "getting the
> contents of /sys/kernel/security/ima/ascii_runtime_measurements into
> syslog", you mean logging the measurements to syslog as they're added to
> the measurement list, then you'll have to modify ima_store_template().

Thanks!

Cheers,
peter

> Mimi
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] syslog and ima measurements

From: Mimi Z. <zo...@li...> - 2012-02-13 03:38:33

On Sun, 2012-02-12 at 16:52 -0800, Peter Moody wrote:
> On Sun, Feb 12, 2012 at 4:42 PM, Mimi Zohar <zo...@li...> wrote:
> > On Sun, 2012-02-12 at 10:40 -0800, Peter Moody wrote:
> >> On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote:
> >> > On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote:
> >> >> I'm probably missing something obvious, but I'm interested in getting
> >> >> the contents of /sys/kernel/security/ima/ascii_runtime_measurements
> >> >> into syslog. Is there an easy way to do this or do I have to write
> >> >> something to do it manually?
> >> >
> >> > The measurements are currently only added to the measurement list.  With
> >> > IMA-appraisal, invalid measurements are audited.
> >>
> >> Is auditing the measurements something that you would consider
> >> worthwhile or if I want to do this should I find some syslog-y way of
> >> tailing the measurements file and sending them to syslog myself?
> >
> > The IMA measurement list is meant for remote attestation and would be
> > included in the TPM quote.  Could you please explain why you'd want
> > these measurements written to syslog?
> 
> I'd like to see the measurements on my central log-catcher(s).

I kind of got that, but I'm asking why would you want all these
measurements cluttering syslog?  You do realize the default policy
measures all executable files, all files mmaped executable and all files
opened by root?

If you're only interested in recording the existing measurements at a
specific point in time, then redirect the output.  If by "getting the
contents of /sys/kernel/security/ima/ascii_runtime_measurements into
syslog", you mean logging the measurements to syslog as they're added to
the measurement list, then you'll have to modify ima_store_template(). 

Mimi

Re: [Linux-ima-user] syslog and ima measurements

From: Peter M. <pm...@go...> - 2012-02-13 00:52:38

On Sun, Feb 12, 2012 at 4:42 PM, Mimi Zohar <zo...@li...> wrote:
> On Sun, 2012-02-12 at 10:40 -0800, Peter Moody wrote:
>> On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote:
>> > On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote:
>> >> I'm probably missing something obvious, but I'm interested in getting
>> >> the contents of /sys/kernel/security/ima/ascii_runtime_measurements
>> >> into syslog. Is there an easy way to do this or do I have to write
>> >> something to do it manually?
>> >
>> > The measurements are currently only added to the measurement list.  With
>> > IMA-appraisal, invalid measurements are audited.
>>
>> Is auditing the measurements something that you would consider
>> worthwhile or if I want to do this should I find some syslog-y way of
>> tailing the measurements file and sending them to syslog myself?
>
> The IMA measurement list is meant for remote attestation and would be
> included in the TPM quote.  Could you please explain why you'd want
> these measurements written to syslog?

I'd like to see the measurements on my central log-catcher(s).

> IMA-appraisal verifies and enforces local file integrity.  I don't see a
> problem with IMA-appraisal auditing both valid and invalid measurements.
>
> thanks,
>
> Mimi
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] syslog and ima measurements

From: Mimi Z. <zo...@li...> - 2012-02-13 00:45:40

On Sun, 2012-02-12 at 10:40 -0800, Peter Moody wrote:
> On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote:
> > On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote:
> >> I'm probably missing something obvious, but I'm interested in getting
> >> the contents of /sys/kernel/security/ima/ascii_runtime_measurements
> >> into syslog. Is there an easy way to do this or do I have to write
> >> something to do it manually?
> >
> > The measurements are currently only added to the measurement list.  With
> > IMA-appraisal, invalid measurements are audited.
> 
> Is auditing the measurements something that you would consider
> worthwhile or if I want to do this should I find some syslog-y way of
> tailing the measurements file and sending them to syslog myself?

The IMA measurement list is meant for remote attestation and would be
included in the TPM quote.  Could you please explain why you'd want
these measurements written to syslog?

IMA-appraisal verifies and enforces local file integrity.  I don't see a
problem with IMA-appraisal auditing both valid and invalid measurements.

thanks,

Mimi

Re: [Linux-ima-user] syslog and ima measurements

From: Peter M. <pm...@go...> - 2012-02-12 18:41:16

On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote:
> On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote:
>> I'm probably missing something obvious, but I'm interested in getting
>> the contents of /sys/kernel/security/ima/ascii_runtime_measurements
>> into syslog. Is there an easy way to do this or do I have to write
>> something to do it manually?
>>
>> Cheers,
>> peter
>
> The measurements are currently only added to the measurement list.  With
> IMA-appraisal, invalid measurements are audited.

Is auditing the measurements something that you would consider
worthwhile or if I want to do this should I find some syslog-y way of
tailing the measurements file and sending them to syslog myself?

Cheers,
peter

> thanks,
>
> Mimi
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] syslog and ima measurements

From: Mimi Z. <zo...@li...> - 2012-02-12 00:08:23

On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote:
> I'm probably missing something obvious, but I'm interested in getting
> the contents of /sys/kernel/security/ima/ascii_runtime_measurements
> into syslog. Is there an easy way to do this or do I have to write
> something to do it manually?
> 
> Cheers,
> peter

The measurements are currently only added to the measurement list.  With
IMA-appraisal, invalid measurements are audited.

thanks,

Mimi

[Linux-ima-user] syslog and ima measurements

From: Peter M. <pm...@go...> - 2012-02-10 18:03:23

I'm probably missing something obvious, but I'm interested in getting
the contents of /sys/kernel/security/ima/ascii_runtime_measurements
into syslog. Is there an easy way to do this or do I have to write
something to do it manually?

Cheers,
peter

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] EVM/IMA are they now in 3.2 mainline?

From: Mimi Z. <zo...@li...> - 2012-01-06 13:17:54

On Thu, 2012-01-05 at 14:07 -0800, Sam Gandhi wrote:
> [First apologies if there is an easy way to find this]
> 
> I noticed that Linus has released 3.2
> (http://article.gmane.org/gmane.linux.kernel/1235375).

http://lwn.net/Articles/473798/ summarizes the changes with links to
other articles describing those changes.  Release summary is also
available from http://kernelnewbies.org/Linux_3.2

> So is it safe to assume that all the changes found in
> git://git.selinuxproject.org/~jmorris/linux-security  should be now in
> 3.2 mainline kernel?

linux-security is a git tree with multiple branches (eg. master, next,
for-linus).  'next', as its name indcates, refers to patches targeted
for the next release and are currently in linux-next.  Shortly (days)
after a new release, the merge window opens for the next release.

> Is there any way to find out what changes from linux-security were
> upstreamed to mainline linux kernel?
> 
> -Sam

Patches in 'next' are generally not upstreamed in the current release.
Only bug fixes that were in 'for-linus' were upstreamed in 3.2. 

So where is EVM/IMA?  EVM is included in the linux 3.2 release. The EVM
digital signature extension is in linux-next and, most likely, will be
merged in this open window.  As for the IMA-appraisal extension, the
patches are available from
git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity/
'next-ima-appraisal'.

thanks,

Mimi

Re: [Linux-ima-user] [RFC v2.1 0/6] evm: digital signature verification extension

From: James M. <jm...@na...> - 2011-10-14 00:21:36

On Wed, 12 Oct 2011, Subodh Nijsure wrote:

> What is the status of these patches moving to mainline?

Unless there are any major objections, they will likely be merged soon.

> FWIW I have tested evm: digital signature verification extension, as
> well as IMA patches, on our embedded  platform and work great. It
> provides functionality so we can verify that system hasn't been
> tampered with.

Thanks for the report, it helps make the case for merging.

-- 
James Morris
<jm...@na...>

Re: [Linux-ima-user] [RFC v2.1 0/6] evm: digital signature verification extension

From: Subodh N. <nij...@gm...> - 2011-10-13 04:37:32

What is the status of these patches moving to mainline?

FWIW I have tested evm: digital signature verification extension, as
well as IMA patches, on our embedded  platform and work great. It
provides functionality so we can verify that system hasn't been
tampered with.

We would rather use things that are "mainline", would a
endorsement/test report from IMA/EVM verification users help move
these things to mainline?

-Subodh Nijsure

[Linux-ima-user] Temporary git repo for EVM/IMA-appraisal

From: Mimi Z. <zo...@li...> - 2011-09-14 21:55:00

On Mon, 2011-09-12 at 14:49 -0700, Subodh Nijsure wrote:

> Should I be merging changes from
> git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.gitt/#next-ima-appraisal
>  for my testing? If yes, since kernel.org is still down is there
> another place where I can look at those changes?

I've just set up a temporary EVM/IMA-appraisal git repo until k.org
returns:  git://github.com/mzohar/linux-evm.git

Mimi