Menu
▾
▴
[Linux-ima-user] I have my system partly working, looking for a little more advice.
|
From: Curtis V. <cr...@so...> - 2015-01-27 19:56:45
|
I have really appreciated help received on the user list. I've now been about to get my appraisal functionality working well for executables. (currently evm breaks it but I am putting that to the back burner) Most of the questions below may be able to be dealt with using LSM labels, Is there a good reference somewhere to using LSM labels? I currently have apparmor enabled and it does not appear to do much with labels. Should I do something like adding Smack labels and use those or roll my own? Any recommendations would be very welcome. If there are no comments about the following I will assume that the correct approach is to use LSM labels. Although there are actually a couple items where clarification would be nice. I do have a few questions that affect the way the I will implement measurement policy. Most important perhaps is wondering how policy rules that apply to a subset of files work when there is also a rule that affects a superset? A specific example is that I am signing and appraising all executables. I would like to measure or appraise all config files using a hash. As there are no path based rules, and my approach can be simple, I am looking at using: action = (measure or appraise), mask = MAY_READ, fowner = root (and I assume I want) func = FILE_CHECK. Is there any way to obtain appraise actions based on a hash on the config files while using appraise actions based on signatures on the executables? If not then I guess that means that I can only measure the config files? If I set a rule to measure these files the rule will also encompass the root owned executables and they do not have a hash they only have a signature. (When I create a hash for these it overwrites the signature.) Is there a way to either provide both a hash and signature or to somehow exclude the executables from a rule that catches the configuration files? Is the use of the rules order dependent to allow masking a more general rule? One more... I was thinking of protecting some config files (that are essentially immutable for these systems) with signatures but cannot see a good way to differentiate between immutable configs and mutable configs. I was tempted to change the group id to a "wheel" group but IMA only seems to only check fowner. Is there a way to specify MAY_NOT_EXEC? Can I just set an additional security xattr to flag this? Thanks and best regards, Curtis |
