Menu
▾
▴
Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing
|
From: Sven V. <sve...@si...> - 2013-01-13 14:28:48
|
On Mon, Jan 07, 2013 at 06:59:47AM -0500, Mimi Zohar wrote: > > I'm now distributing it to my other test VMs so I can have the entire test > > infrastructure run with IMA/EVM (enforcing). > > Cool! Are you using digital signatures or only hashes? Mainly only hashes, although I have a few files set with digital signatures for testing purposes (to see if this "immutable" feature keeps working). So yes, even digital signatures still work with the patch applied (and continue to work even after reloading the LSM (SELinux) policy). However, I think the signature-based approach requires reactive validation (i.e. check if the files still contain a signature instead of just a hash) to make sure the files have not been tampered with (similar to the remote attestation). Local appraisal has only limited success in this area. A malicious user can manipulate the file system offline, regenerate the security.ima and security.evm attributes (but providing a hash instead of a digital signature as he doesn't have the private key) and have it boot up again. Because the integrity subsystem verifies that the attributes are correct (it sees hashes, so validates those) the system continues allowing access to these files. Only reactive checking (like checking the attributes of all files that *ought* to be immutable) works to ensure that the files have not been tampered with. Wkr, Sven Vermeulen |