Menu
▾
▴
Re: [Linux-ima-user] IMA (latest patches) do not allow creation of in policy files.
|
From: Curtis V. <ve...@vp...> - 2015-06-22 17:04:19
|
Hi Mimi, We are seeing interesting behavior here. I have two things to share. first a repeatable test case. (on our box - we are using IMA only (no evm) and second a slightly simplified version of the policy we are using. A test case. As root run either chpasswd or passwd to change a user password on the ima machine. view /etc/shadow (we get permission denied.) then touch /etc/shadow view /etc/shadow now we can see the contents of shadow My policy follows: perhaps I am misusing IMA in some way. best regards, Curtis ------------------------------------------------------------------------- # Default Rules dont_measure fsmagic=0x9fa0 dont_appraise fsmagic=0x9fa0 dont_measure fsmagic=0x62656572 dont_appraise fsmagic=0x62656572 dont_measure fsmagic=0x64626720 dont_appraise fsmagic=0x64626720 dont_measure fsmagic=0x01021994 dont_appraise fsmagic=0x01021994 dont_measure fsmagic=0x858458f6 dont_appraise fsmagic=0x858458f6 dont_measure fsmagic=0x73636673 dont_appraise fsmagic=0x73636673 # # Special partition dont_measure fsuuid=a11234... dont_appraise fsuuid=a11243... # Special immutable group appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 # this area allows hashed executables appraise func=FILE_MMAP mask=MAY_EXEC fsuuid=0761e0f1... appraise func=BPRM_CHECK mask=MAY_EXEC fsuuid=0761e0f1... # # All executables must be signed appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC # # Attempt to avoid log and cache file (etc) # This may belong above the previous appraise group # sda7=/tmp sda8=/var dont_measure fsuuid=ac010c7... this is /tmp dont_appraise fsuuid=ac010c7... dont_measure fsuuid=... this is /var dont_appraise fsuuid=... # Is there a better way to handle the text based log files # that linux creates? # Using groups instead of uid mainly for testing # gid functionality # group root = 0 may want to go by owner or group? # group shadow = 42 needed if above not by owner measure func=FILE_CHECK mask=MAY_READ fgroup=0 appraise func=FILE_CHECK mask=MAY_READ fgroup=0 measure func=FILE_CHECK mask=MAY_READ fgroup=42 appraise func=FILE_CHECK mask=MAY_READ fgroup=42 # # non-root group to protect with hashes = 201 # also protect www-data group = 33 measure func=FILE_CHECK mask=MAY_READ fgroup=33 appraise func=FILE_CHECK mask=MAY_READ fgroup=33 measure func=FILE_CHECK mask=MAY_READ fgroup=201 appraise func=FILE_CHECK mask=MAY_READ fgroup=201 # # remaining default rules measure func=BPRM_CHECK measure func=MODULE_CHECK measure func=FIRMWARE_CHECK On Mon, Jun 22, 2015 at 11:03:19AM -0400, Mimi Zohar wrote: > On Mon, 2015-06-22 at 13:59 +0000, Curtis Veit wrote: > > So what method may be used to create a new file with a valid hash? > > Seems like there are valid use cases for this. > > New files are always hashed as long as they're in policy. Try creating > a test file and getting the security xattr values and the sha256sum of > the file. > > $ sudo sh -c "echo 'Hello World' > /etc/hello" > > $ getfattr -m ^security --dump -e hex /etc/hello > getfattr: Removing leading '/' from absolute path names > # file: etc/hello > security.evm=0x02736807ac58a250f017de2d3fdd45e63db4270c73 > security.ima=0x0404d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26 > security.selinux=0x756e636f6e66696e65645f753a6f626a6563745f723a6574635f743a733000 > > $ sha256sum /etc/hello > d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26 /etc/hello > > If you're still having problems, then post the results here with your > appraisal policy. > > Mimi > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user |
