Re: [Linux-ima-user] Enforcing signatures with IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2012-02-16 at 17:02 +1100, Michael Cassaniti wrote:
> Hi All,
> I was wondering if it would be possible to do the following with IMA
> and EVM:
>      1. Check the EVM side of things for every file opened/executed,
>         excluding a few file paths. I primarily want to have
>         signatures on all executables and configuration files, but not
>         live data.

Filepaths are not supported, but you can identify files to be
included/excluded by LSM obj/subj label.  For example, the SELinux
labels for /var/log/messages is:

# getfattr -m ^security --dump /var/log/messages
getfattr: Removing leading '/' from absolute path names
# file: var/log/messages
security.selinux="system_u:object_r:var_log_t:s0"

To exclude /var/log/messages, the IMA measurement/appraise policy would
contain,
# var_log_t files
dont_measure obj_type=var_log_t
dont_appraise obj_type=var_log_t

>      1. Force that IMA/EVM attributes do not change under normal
>         conditions. The machine would need to be rebooted and have the
>         kernel options changed to support attribute overwriting.

The 'security.ima' xattr containing a digital signature will not change,
even on reboot in fix mode, but 'security.evm' could be updated when
other metdata changes. 

>      1. Not extend the TPM PCR. I'm not trying to use IMA for remote
>         attestation, but rather for ensuring the code and
>         configuration on my machines haven't been tampered with.

Yes, modify the IMA policy so that nothing is measured, only appraised.

> Now I did read the wiki before posting to the list. I did find
> information regarding the ima_appraise option, but all it says is what
> the possible values are, not what they actually mean. I think someone
> should make that explicit in the wiki. The evm option doesn't have any
> mention of allowed values, nor a table stating what it all means.

> So, could someone please update these in the wiki, and is it possible
> to achieve my objectives from above (the last one isn't a must)?
> 
> Regards,
> Michael Cassaniti

linux-ima is dated and definitely needs to be updated. The updated wiki
will include a section on the new digital signatures.  Thank you for
your suggestions.

thanks,

Mimi