Menu
▾
▴
Re: [Linux-ima-user] question about IMA-Appraisal
|
From: Mimi Z. <zo...@li...> - 2014-12-31 03:56:35
|
On Wed, 2014-12-31 at 09:35 +0800, jiangdahui wrote: <snip> > ok, I'll describe my questions more clearly. > 1.Is it use some manual operations exclude that boot with > "ima_appraise = appraise integrity measurements"? If a kernel is configured and built with IMA_APPRAISE enabled, nothing is appraised unless an appraisal policy is loaded. Specifying "ima_appraise_tcb" on the boot command line enables the builtin appraisal policy. This policy can be replaced by redirecting the 'cat' policy output to /sys/kernel/security/ima/policy/. > 2.how to test the effect of it, observe the "security.evm" attr?where? There are two ways that 'security.evm' changes. The first method, using evmctl, replaces the existing HMAC value with a file signature. The second method occurs as a result of changing any of the protected security extended attributes (eg. security.selinux, security.SMACK64, security.ima, security.capability, ...). > 3.why the kernel can't boot when using "ima_appraise = enforce". As explained below, the file system needs to be labeled with security.evm xattrs appropriately. Possible reasons for failure to boot properly are: missing file signature/hash, invalid file signature/hash, or unknown key. Mimi > At 2014-12-30 22:10:37, "Mimi Zohar" <zo...@li...> wrote: > >On Tue, 2014-12-30 at 17:50 +0800, jiangdahui wrote: > >> hi all: > > > >> how to verify IMA-Appraisal's effect?change a executable file?but I > find > >> it can still run normally? or observe the "security.evm" attr? how? > > > >IMA-appraisal enforces local file integrity based on policy (eg. > >ima_appraise_tcb). The "good" integrity values are stored as > extended > >attributes (xattr), which are compared with the runtime values. > Before > >enabling IMA-appraisal, the file system must be labeled. > > > >Refer to the linux-ima wiki for more details. > > > >Mimi > > |
