Re: [Linux-ima-user] looking for suggestions on rule use

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2015-06-10 at 10:32 -0600, Curtis Veit wrote:
> On Wed, Jun 10, 2015 at 11:40:01AM -0400, Mimi Zohar wrote:
> > On Wed, 2015-06-10 at 09:29 -0600, Curtis Veit wrote:
> > > On Wed, Jun 10, 2015 at 09:22:30AM -0400, Mimi Zohar wrote:
> > > > On Tue, 2015-06-09 at 18:59 -0600, Curtis Veit wrote:
> > > > > I am also noticing that when using appraise rules looking for a hash 
> > > > > that I can get errors when I update a file and then update the hash. 
> > > > > Is there an approach for solving that? (Hopefully without either 
> > > > > dropping appraise and only measuring or without rewriting various 
> > > > > system utils to be IMA aware.) 
> > > > 
> > > > As long as the file is in policy, an updated hash should automatically
> > > > be written out on file close.   When security.ima is a signature,
> > > > neither the file or the file signature can be modified.  I've just
> > > > upstreamed a patch by Dmitry Kasitkin to also prevent userspace from
> > > > modifying the security.ima hash value.
> > > > 
> > > > c68ed80 ima: limit file hash setting by user to fix and log modes
> > > Thanks for the reference, looks like I need to rethink a few things.
> > > > 
> > > Sounds like I need to check my rules and try this out again.
> > > Just one question about the auto-update of the hash on file close...
> > > I am running 3.18 kernel. Is the auto update behaviour present in
> > > that version?
> > > 
> > > If not, when did it appear?
> > 
> > Setting the file hash has been there from the beginning.  For
> > development it made sense to permit userspace (eg. root) to change the
> > file hash, but there's really no good reason for it.  This patch
> > prevents userspace from modifying it.
> > 
> > Mimi
> 
> Two separate thoughts:
> First, I am wondering how this will affect my ability to deploy an embedded
> system using IMA. 
> 
> Does it allow pre-writing hashes before an image is deployed?
> 
> Currently I build an image of the system and create the
> signatures and hashes as I deploy the image to the disk. What I hope to do is 
> just to sign and hash the image once and deploy with those in place (currently
> that does not work for me - see the recent post about tar and rsync.) 
> 
> Second,
> Just exactly what is the expected sequence of events that is allowed in
> signing (signature and hashes) a fresh system?  How about when installing
> updates?
> 
> Sorry but I feel like I am missing something crucial here.

In "fix" mode, the file can be properly labeled.  Add "ima_appraise=tcb"
to the boot command line.

Mimi