Menu
▾
▴
Re: [Linux-ima-user] IMA appraisal with signature issue
|
From: Tao <baa...@gm...> - 2015-12-23 19:02:45
|
Hi Mimi,
Thank you very much for your reply.
My answers are in-line.
Another issue, when I open the file with vi or vim and make some
modifications of the file,
the security.ima attribute will disappear. But when I use nano to edit
the file, the value of
security.ima will be updated. I am not sure if this is another issue.
Best wishes!
Tao
On 12/23/2015 6:50 PM, Mimi Zohar wrote:
> On Wed, 2015-12-23 at 17:28 +0100, Tao wrote:
>> Hi,
>>
>> I am trying the IMA appraisal function on a CentOS7 minimal installation
>> machine. By default, thisdistribution ships with compiled kernel
>> supports IMA functions. Kernel version is 3.10.0.
>>
>> I followed the instructions on the following two web pages.
>>
>> http://sourceforge.net/p/linux-ima/wiki/Home/
>>
>> https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
>>
>> It works fine with the measurement functions and IMA appraisal without
>> digital signatures. I activated i_version flag in the root filesystem in
>> the boot command line and change the mount option in /etc/fstab file.
>>
>> Since right now I am just testing the capability of the IMA, I set a
>> custom policy only to appraise the file belonging to a user named “temp”
>> and add "ima_appraise=enforce" in the boot command line.
>>
>> Then I use ‘evmctl ima_hash file’ and it works fine. I can see
>> security.ima extended attribute with ‘getfattr’ command. And after I
>> change the owner of the file to temp, I can still open it and execute it.
> Does the reverse also work, meaning if a file owned by temp isn't
> signed, can you execute it?
if the file's hash is correct, but it is not signed, it can still be
executed. As I understand, the
'ima_hash' function only computes the hash value of the file, and store
it in the security.ima
attribute, so if the security.ima attribute is not signature based, the
appraise will succeed, and
then it should be able to be executed.
>> The problem is with the ima_sign function provided by evmctl. Following
>> the instructions, I create a new keyring in the system by launching the
>> following commands:
>>
>> openssl genrsa -outprivkey_evm.pem 1024
>>
>> openssl rsa -pubout -inprivkey_evm.pem -outpubkey_evm.pem
>>
>> ima_id=`keyctl newring _ima @u`
> Try logging in as root or "su - ", not using "sudo" to create the "_ima"
> keyring.
I always login as root, since I am just testing in a virtual machine,
with the root account, it
is more convenient.
>
>> evmctl import --rsa /etc/keys/pubkey_evm.pem $ima_id
>>
>> evmctl ima_sign –rsa file –v
>>
>> Until this point, I can see the hash value, the keyed, sighash and
>> evm/ima signature. And I also can see the security.ima attribute is
>> becoming 274 bytes long.
>>
>> Then I launch:
>>
>>
>> evmctl ima_verify –rsa file –v
>>
>> and I can see the hash is correct and sighash is the same one shown with
>> the above command. And the verification is OK.
>>
>>
>> But after I change the ownership of the file to user
>> ‘temp’ whose file is set to be appraised, and try to run the same
>> ima_verify again, it gives error with the following message:
>>
>> [8621.067731]digsig: key not found, id:DE253B20DFD8E3
> Probably "_ima" is not on root's keyring.
It should be, because when I execute 'keyctl show', I can see _ima as a
sub keyring of keyring:_uid.0
but the system still show that :
digsig: key not found, id:DE253B20DFD8E3
Any other thoughts?
>
> Mimi
>
>> Fail to open: file
>>
>> Errno: Permission denied (13)
>>
>>
>> with 'keyctl show' command, I can see the
>> sub-attributes of keyring: _uid.0, named _ima and DE253B20DFD8E3.
>>
>>
>> Can any one enlighten me what is the possible error? I followed exactly
>> the procedure described in the wiki page. Or if there is something changed?
>>
>>
>> Thank you very much for your time and best wishes!
>
|
