Menu
▾
▴
Re: [Linux-ima-user] Enforcing signatures with IMA
|
From: <m.c...@gm...> - 2012-02-17 03:30:17
|
<html><head> <meta http-equiv="content-type" content="text/html; charset=us-ascii"> <title>Re: [Linux-ima-user] Enforcing signatures with IMA</title> </head><body><br> <br> <div class="gmail_quote">On 16 February 2012 23:36, Mimi Zohar <span dir="ltr"><zo...@li...></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Thu, 2012-02-16 at 17:02 +1100, Michael Cassaniti wrote:<br> > Hi All,<br> > I was wondering if it would be possible to do the following with IMA<br> > and EVM:<br> </div> >      1. Check the EVM side of things for every file opened/executed,<br> <div class="im">>         excluding a few file paths. I primarily want to have<br> >         signatures on all executables and configuration files, but not<br> >         live data.<br> <br> </div> Filepaths are not supported, but you can identify files to be<br> included/excluded by LSM obj/subj label.  For example, the SELinux<br> labels for /var/log/messages is:<br> <br> # getfattr -m ^security --dump /var/log/messages<br> getfattr: Removing leading '/' from absolute path names<br> # file: var/log/messages<br> security.selinux="system_u:<wbr>object_r:var_log_t:s0"<br> <br> To exclude /var/log/messages, the IMA measurement/appraise policy would<br> contain,<br> # var_log_t files<br> dont_measure obj_type=var_log_t<br> dont_appraise obj_type=var_log_t<br> <br> >      1. Force that IMA/EVM attributes do not change under normal<br> <div class="im">>         conditions. The machine would need to be rebooted and have the<br> >         kernel options changed to support attribute overwriting.<br> <br> </div> The 'security.ima' xattr containing a digital signature will not change,<br> even on reboot in fix mode, but 'security.evm' could be updated when<br> other metdata changes.<br> <br> >      1. Not extend the TPM PCR. I'm not trying to use IMA for remote<br> <div class="im">>         attestation, but rather for ensuring the code and<br> >         configuration on my machines haven't been tampered with.<br> <br> </div> Yes, modify the IMA policy so that nothing is measured, only appraised.<br> <div class="im"><br> > Now I did read the wiki before posting to the list. I did find<br> > information regarding the ima_appraise option, but all it says is what<br> > the possible values are, not what they actually mean. I think someone<br> > should make that explicit in the wiki. The evm option doesn't have any<br> > mention of allowed values, nor a table stating what it all means.<br> <br> > So, could someone please update these in the wiki, and is it possible<br> > to achieve my objectives from above (the last one isn't a must)?<br> ><br> > Regards,<br> > Michael Cassaniti<br> <br> </div> linux-ima is dated and definitely needs to be updated. The updated wiki<br> will include a section on the new digital signatures.  Thank you for<br> your suggestions.<br> <br> thanks,<br> <br> Mimi<br> <br> </blockquote> </div> Thanks very much for your feedback. I will work on getting the right LSM labels added so I check signatures only on the data I want.<br> <br> If you don't mind (since I'm lost after reading the wiki) could you please suggest some kernel parameters to make all this happen, and what policy parameters I would need to only appraise but not measure? Sorry but the wiki is currently not specific enough to explain this.<br> <br> What I also failed to mention was that I wanted the machine to refuse to load a file that has been tampered with (excluding live data such as logs of course which will be filtered by the appropriate LSM labelling).<br> <br> Thank you,<br> Michael Cassaniti<br> <a href="http://mcassaniti.dyndns.org" target="_blank" >http://mcassaniti.dyndns.org</a><br> <br> </body></html> |
