Re: [Linux-ima-user] Clarification requested. Comments about some info in the wiki.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Mimi,

Thanks for the answers to my questions. 

On Fri, Jan 09, 2015 at 09:32:58AM -0500, Mimi Zohar wrote:
> On Thu, 2015-01-08 at 13:08 -0700, Curtis Veit wrote:

> > 1. How do I write a policy that ensures that the digital signature
> > approach is required for specific groups of files?
> 
> Yes, on the policy rule requiring signatures add
> "appraise_type:=imasig".
> 
> > 2. Do I understand correctly that if I am using the hash (no digital
> > signature), if a malicious user or executable "updates" a file, the
> 
> Right, immutable files should be labeled with file signatures.  Mutable
> files by definition change, requiring the security.ima xattr to change
> to reflect the file data.
> 
> >     ... If the hashes are in the log is
> > that log file protected from tampering? How?
> 
> The measurement log is stored in memory and can be attested to, so that
> a remote host can verify the integrity of the system.

So, in the system I am working with there is no TPM and no requirement to
attest for the various files. 
There is a requirement to ensure that executables, libraries and system
config files have not been tampered with. 

It sounds to me like I should skip measurement and just sign everything that
must be treated as immutable.  (I will try this out based on my current 
understanding.)

Does that mean I can skip "ima_tcb" on the command like and just use
"ima_appraise_tcb" ?

Some additional questions: 
What does "ima_template=ima-sig" do? is there any relationship to 
this approach?

I am currently on the 3.13 kernel (ubuntu 14.04) so I do not need to 
worry about adding a key to the keyring. but is best practice to
compile the kernel with a key or is there another approach to get that
first "valid" signing key in the keyring for 3.17 and beyond?

Is there a reference for policy syntax? (other than the end of the wiki)

I am keeping notes and hope (eventually) to provide some reference material 
that you could add to the wiki.

Best regards,
Curtis