Re: [Linux-ima-user] looking for suggestions on rule use

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Jun 11, 2015 at 09:34:29PM +0300, Petko Manolov wrote:
> On 15-06-11 20:46:48, Petko Manolov wrote:
> > On 15-06-10 09:01:54, Curtis Veit wrote:
> > > I'm going to break this into several replies due to the length...
> > > On Wed, Jun 10, 2015 at 09:22:30AM -0400, Mimi Zohar wrote:
> > > > On Tue, 2015-06-09 at 18:59 -0600, Curtis Veit wrote:
> > > > > I have had excellent success with IMA appraising signed executables.
> > > > > Can anyone clue me in?
> > > > 
> > > > source/sh/include opens the file, but the FILE_CHECK rule is only
> > > > appraising files opened MAY_EXEC.  This rule is not needed.
> > > > 
> > > Thanks, explains why adding that rule did not help...  
> > > I am certain I found a way to prevent 
> > >   sh  foo.sh
> > > from running the script foo.sh if it was not signed. The first two
> > > rules above do not accomplish that.  What rules should be used to 
> > > prevent 'sh' from running an unsigned script?
> > 
> > Have you tried:
> > 
> > appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ
> > 
> > I guess an attempt to read unsigned 'foo.sh' should fail.
> 
> appraise func=FILE_CHECK mask=MAY_READ uid=1001
> 
> Unless i've done something stupid the above rule (signed 'busybox', unsigned 
> 'foo.sh') did the trick:
> 
> 	# ./busybox-signed sh foo.sh
> 
> ends up with:
> 
> 	sh: can't open 'foo.sh'
> 
> and the audit message:
> 
> 	[  807.094071] audit: type=1800 audit(1434047224.585:23): pid=1498 uid=1001 auid=4294967295 ses=4294967295 op="appraise_data" cause="missing-hash" comm="busybox-signed" name="/home/user/foo.sh" dev="sda1" ino=42 res=0

Hi Petko,

That could be exactly what I did. Unfortunatly it was in January so the memory
has faded. I was pretty much only testing for ways to avoid executing anything
but signed files.

Unfortunately this is not quite the final solution I'm looking for but does 
get me back on the right path. Thanks very much for taking time to share 
your experience. I'm finding that I still have much to learn to use IMA.

Seems like there might be a linux capability that could be used to allow/reject
executing a script in that way. I need to learn more about using LSM features
with IMA and see if that would tie in to capabilities as well. THis might mean
that a little new code is needed... 

Best regards,
Curtis