Menu
▾
▴
Re: [Linux-ima-user] File measurements not always stored or security.ima disappearing
|
From: Mimi Z. <zo...@li...> - 2013-01-14 02:25:36
|
On Sun, 2013-01-13 at 15:28 +0100, Sven Vermeulen wrote: > On Mon, Jan 07, 2013 at 06:59:47AM -0500, Mimi Zohar wrote: > > > I'm now distributing it to my other test VMs so I can have the entire test > > > infrastructure run with IMA/EVM (enforcing). > > > > Cool! Are you using digital signatures or only hashes? > > Mainly only hashes, although I have a few files set with digital > signatures for testing purposes (to see if this "immutable" feature keeps > working). So yes, even digital signatures still work with the patch applied > (and continue to work even after reloading the LSM (SELinux) policy). > > However, I think the signature-based approach requires reactive validation > (i.e. check if the files still contain a signature instead of just a hash) > to make sure the files have not been tampered with (similar to the remote > attestation). Local appraisal has only limited success in this area. > > A malicious user can manipulate the file system offline, regenerate the > security.ima and security.evm attributes (but providing a hash instead of a > digital signature as he doesn't have the private key) and have it boot up > again. Because the integrity subsystem verifies that the attributes are > correct (it sees hashes, so validates those) the system continues allowing > access to these files. Agreed, we need to differentiate between files requiring signatures versus hashes, but not because 'security.evm' can be regenerated offline. > Only reactive checking (like checking the attributes of all files that > *ought* to be immutable) works to ensure that the files have not been > tampered with. linux-integrity/#next-ima-appraise-status contains a couple of patches queued to be upstreamed that address this issue. ima: differentiate appraise status only for hook specific rules ima: per hook cache integrity appraisal status ima: increase iint flag size ima: added policy support for 'security.ima' type thanks, Mimi |
