Menu
▾
▴
Re: [Linux-ima-user] looking for suggestions on rule use
|
From: Petko M. <pe...@mi...> - 2015-06-11 17:47:07
|
On 15-06-10 09:01:54, Curtis Veit wrote: > I'm going to break this into several replies due to the length... > On Wed, Jun 10, 2015 at 09:22:30AM -0400, Mimi Zohar wrote: > > On Tue, 2015-06-09 at 18:59 -0600, Curtis Veit wrote: > > > I have had excellent success with IMA appraising signed executables. > > > I am trying to take the next step by adding other rules but hit a > > > number of issues. > > > > > > my added rules for executables: > > > appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC > > > appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC > > > appraise appraise_type=imasig func=FILE_CHECK mask=MAY_EXEC > > > One issue on executables, I seem to have broken my previously > > > correct behavior. I was able to prevent execution of the command > > > "sh foo.sh" where bash is signed but foo.sh is not. > > > The above prevents "foo.sh" but allows "sh foo.sh". > > > Can anyone clue me in? > > > > source/sh/include opens the file, but the FILE_CHECK rule is only > > appraising files opened MAY_EXEC. This rule is not needed. > > > Thanks, explains why adding that rule did not help... > I am certain I found a way to prevent > sh foo.sh > from running the script foo.sh if it was not signed. The first two > rules above do not accomplish that. What rules should be used to > prevent 'sh' from running an unsigned script? Have you tried: appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ I guess an attempt to read unsigned 'foo.sh' should fail. Petko |
