[Linux-ima-user] Clarification requested. Comments about some info in the wiki.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi I am new to using IMA and am responsible for securing some systems, IMA looks like a great solution for maintain system integrity. As I read the documents I find there are areas that I think I understand but have some uncertainty.
It would be greatly appreciated if anyone has time to help correct my errors in thought. Hopefully the comments and questions can be used to help improve the wiki. ( I would be happy to add to the wiki as well, if and when I understand enough to avoid introducing errors.)

At http://sourceforge.net/p/linux-ima/wiki/Home/#understanding-the-ima-appraisal-policy
Under  the "IMA-appraisal" heading. The text reads, "The inital method for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity."

This brought at least one question to my mind...

1.     How do I write a policy that ensures that the digital signature approach is required for specific groups of files?

2.     Do I understand correctly that if I am using the hash (no digital signature), if a malicious user or executable  "updates" a file, the system will automatically set an updated hash in the filesystem? I.e. there is a comment about hashes being used to prevent "off-line" filesystem modifications.  If I understood then I think the wiki is pretty clear on this. (but it would be nice to be able to have certainty when reading.) If I misunderstood then clarification is badly needed.

Another question not specifically at that location: I seems like the hashes are associated with measurement not appraise. And that the hashes are not stored in the xattrs while the appraisal related signature are. Did I get that correct? If the hashes are in the log is that log file protected from tampering? How?

In the text under heading "Labeling the filesystem with 'security.ima' extended attributes"  there is a difference in parameters given (log vs enforce). I am assuming that "enforce" is the correct parameter to use.

*         ima_appraise= appraise integrity measurements\ Format: { "off" | "log" | "fix" } \
off - is a runtime parameter that turns off integrity appraisal verification.
enforce - verifies and enforces runtime file integrity. [default]
fix - for non-digitally signed files, updates the 'security.ima' xattr to reflect the existing file hash.

I am sure there will be more questions as I check out using IMA. My main concerns with deploying at this point is wondering how best to manage:

1.       setting the initial policy for the target system. (Do I use hashes and/or signatures, and where for each?)

2.       how to manage updates in the target system given a combination of distro updates and local updates? (given that the distros do not currently support IMA. And if they did I would potentially need two public keys, one for the distro signed matter and one for the locally signed matter. Does IMA even support using two keys?)