Recent changes to Home

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 23:49:55 -0000

--- v30
+++ v31
@@ -20,7 +20,7 @@

  -   **Audit** – audit the file hashes.

-The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30. The last two features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split. EVM was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys).   EVM support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3.  IMA-appraisal, the fourth aspect, appraising a file's integrity, was upstreamed in Linux 3.7.
+The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30.   The "appraise" and "protect" features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split.   EVM, the "protect" feature, was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys).   EVM support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3.  IMA-appraisal, the fourth aspect, appraising a file's integrity, was upstreamed in Linux 3.7.

 The goals, design, and benefits of these features are further described in the whitepaper ["An Overview of the Linux Integrity Subsystem"](http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf "http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf").

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 23:43:03 -0000

--- v29
+++ v30
@@ -356,9 +356,10 @@

 IMA-audit includes file hashes in the audit log, which can be used to augment existing system security analytics/forensics. IMA-audit extends the IMA policy ABI with the policy action keyword - "audit".

-Example policy to audit file hashes of all executables
-
-audit func=BPRM_CHECK
+Example policy to audit  executable file hashes
+
+    audit func=BPRM_CHECK
+    

 ## Linux Extended Verification Module (EVM)

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 23:30:53 -0000

--- v28
+++ v29
@@ -17,14 +17,22 @@
     “good” value stored in an extended attribute of the file.
 -   **Protect** – protect a file's security extended attributes
     (including appraisal hash) against off-line attack.
-
-The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30. The last two features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split. EVM was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys). Support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3. IMA-appraisal was upstreamed in Linux 3.7.
+ 
+ -   **Audit** – audit the file hashes.
+
+The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30. The last two features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split. EVM was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys).   EVM support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3.  IMA-appraisal, the fourth aspect, appraising a file's integrity, was upstreamed in Linux 3.7.

 The goals, design, and benefits of these features are further described in the whitepaper ["An Overview of the Linux Integrity Subsystem"](http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf "http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf").

 ### Components

-IMA-measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
+IMA-measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA-measurement and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
+
+IMA-appraisal, a second component of the kernel's integrity subsystem,  extends the "secure boot" concept of verifying  a file's integrity, before transferring control or allowing the file to be accessed by the OS.
+
+IMA-audit, another component of the kernel's integrity subsystem, includes file hashes in the system audit logs, which can be used to augment existing system security analytics/forensics.
+
+The IMA-measurement, IMA-appraisal, and IMA-audit aspects of the kernel's integrity subsystem complement each other, but can be configured and used independently of each other.

 ## Integrity Measurement Architecture (IMA-measurement)

@@ -42,9 +50,9 @@
 IMA is controlled with several kernel command line parameters:

-ima_audit= audit control
+ima_audit= informational audit logging
  Format: { "0" | "1" }
- 0 -- integrity auditing messages. (Default)
+ 0 -- normal integrity auditing messages. (Default)
  1 -- enable additional informational integrity auditing messages.

  (eg. Although file measurements are only added to the measurement list once and cached, if the inode is flushed, subsequent access to the inode will result in re-measuring the file and attempting to add the measurement again to the measurement list. Enabling ima_audit will log such attempts.)
@@ -343,6 +351,15 @@
 ### Signing IMA-appraisal keys

 ( Place holder )
+
+## IMA-audit
+
+IMA-audit includes file hashes in the audit log, which can be used to augment existing system security analytics/forensics. IMA-audit extends the IMA policy ABI with the policy action keyword - "audit".
+
+Example policy to audit file hashes of all executables
+
+audit func=BPRM_CHECK
+

 ## Linux Extended Verification Module (EVM)

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 21:09:46 -0000

--- v27
+++ v28
@@ -198,7 +198,7 @@

 ### IMA re-measuring files

-Part of the TCG requirement is that all Trusted Computing Base (TCB) files be measured, and re-measured if the file has changed, before reading/executing the file. IMA detects file changes based on i_version. To re-measure a file after it has changed, the filesystem must be mounted with i_version support.
+Part of the TCG requirement is that all Trusted Computing Base (TCB) files be measured, and re-measured if the file has changed, before reading/executing the file. IMA detects file changes based on i_version. To re-measure a file after it has changed, the filesystem must support i_version and, if needed, be mounted with i_version (eg. ext3, ext4).  Not all filesystems require the explicit mount option.   With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it") i_version is considered an optimization.  If i_version is not enabled, either because the local filesystem does not support it or the filesystem was not mounted with i_version, the file will now always be re-measured, whether or not the file changed, but only new measurements will be added to the measurement list.

 -   Attempt to mount a filesystem with i_version support.

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 19:18:17 -0000

--- v26
+++ v27
@@ -131,7 +131,7 @@

 ### Verifying IMA Measurements

-The IMA tests programs are part of the [Linux Test Project.](http://ltp.sourceforge.net/wiki "https://github.com/linux-test-project/ltp/wiki")
+The IMA tests programs are part of the [Linux Test Project.](https://github.com/linux-test-project/ltp/wiki)

 - Download, compile, and install the standalone version of the IMA LTP test programs in /usr/local/bin.

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 19:05:03 -0000

--- v25
+++ v26
@@ -50,7 +50,7 @@
  (eg. Although file measurements are only added to the measurement list once and cached, if the inode is flushed, subsequent access to the inode will result in re-measuring the file and attempting to add the measurement again to the measurement list. Enabling ima_audit will log such attempts.)

 ima_policy= builtin policy
-Format:  ["tcb"|"appraise_tcb"|"secure-boot"]
+Format:  {"tcb" | "appraise_tcb" | "secure-boot"}
 **NEW** Linux-4.13 default: no policy

 ima_template= template used
@@ -62,7 +62,7 @@
   'ima' template default: "sha1"
   Linux 3.13 default: "sha256"

- ima_tcb [deprecated]
+ ima_tcb  (deprecated)
  If specified, enables the TCB policy, which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0.

 ### IMA Measurement List

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 19:01:08 -0000

--- v24
+++ v25
@@ -24,20 +24,20 @@

 ### Components

-IMA measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
-
-## Integrity Measurement Architecture (IMA)
-
-
-IMA is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA can be used to attest to the system's runtime integrity.
-
-### Enabling IMA
-
-IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with the boot command line parameter 'ima_tcb'. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.)
+IMA-measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
+
+## Integrity Measurement Architecture (IMA-measurement)
+
+
+IMA-measurement is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity.
+
+### Enabling IMA-measurement
+
+IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with a builtin  "ima_policy=" on the boot command line. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.)

 To determine if your distro enables IMA by default, mount securityfs (mount -t securityfs security /sys/kernel/security), if it isn't already mounted, and then check if '<securityfs>/integrity/ima' exists. If it exists, IMA is indeed enabled. On systems without IMA enabled, [recompile the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) with the config option 'CONFIG_IMA' enabled.

-### Controlling IMA
+### Controlling IMA-measurement

 IMA is controlled with several kernel command line parameters:

@@ -49,21 +49,25 @@

  (eg. Although file measurements are only added to the measurement list once and cached, if the inode is flushed, subsequent access to the inode will result in re-measuring the file and attempting to add the measurement again to the measurement list. Enabling ima_audit will log such attempts.)

+ima_policy= builtin policy
+Format:  ["tcb"|"appraise_tcb"|"secure-boot"]
+**NEW** Linux-4.13 default: no policy
+
 ima_template= template used
  Format: { "ima" | "ima-ng" | "ima-sig" }
- **NEW** Linux 3.13 default: "ima-ng"
+ Linux 3.13 default: "ima-ng"

 ima_hash= hash used
  Format: { "sha1" | "md5" | "sha256" | "sha512" | "wp512" | ... }
   'ima' template default: "sha1"
-  **NEW** Linux 3.13 default: "sha256"
-
- ima_tcb
+  Linux 3.13 default: "sha256"
+
+ ima_tcb [deprecated]
  If specified, enables the TCB policy, which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0.

-### IMA Measurements
-
-IMA maintains a runtime measurement list, which can be displayed as shown below.
+### IMA Measurement List
+
+IMA-measurements maintains a runtime measurement list, which can be displayed as shown below.

 - mount securityfs as /sys/kernel/security

@@ -74,7 +78,7 @@

 - display the runtime measurement list    (Only root is allowed access to securityfs files.)

-Example 1: ** NEW ** 'ima-ng' template
+Example 1: 'ima-ng' template
     $ su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements'

     PCR     template-hash                           filedata-hash                           filename-hint
@@ -87,7 +91,15 @@
 template-hash: sha1 hash(filedata-hash length, filedata-hash, pathname length, pathname)
 filedata-hash: sha256 hash(filedata)

-Example 2: 'ima' template
+
+Example 2:  'ima-sig' template (same format as ima-ng, but with an appended signature when present)
+
+    PCR     template-hash                           filedata-hash                           filename-hint                         file-signature
+    10 f63c10947347c71ff205ebfde5971009af27b0ba ima-sig sha256:6c118980083bccd259f069c2b3c3f3a2f5302d17a685409786564f4cf05b3939 /usr/lib64/libgspell-1.so.1.0.0   0302046e6c10460100aa43a4b1136f45735669632ad ...
+    10 595eb9bf805874b459ce073af158378f274ea961 ima-sig sha256:8632769297867a80a9614caa98034d992441e723f0b383ca529faa306c640638 /usr/lib64/gedit/plugins/libmodelines.so 0302046e6c104601002394b70ab93 ...
+
+
+Example 3: *original* 'ima' template

     PCR     template-hash                           filedata-hash                           filename-hint
     10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate

Home modified by mzohar

mzohar — Mon, 05 Feb 2018 18:15:47 -0000

--- v23
+++ v24
@@ -119,7 +119,7 @@

 ### Verifying IMA Measurements

-The IMA tests programs are part of the [Linux Test Project.](http://ltp.sourceforge.net/wiki "http://ltp.sourceforge.net/wiki")
+The IMA tests programs are part of the [Linux Test Project.](http://ltp.sourceforge.net/wiki "https://github.com/linux-test-project/ltp/wiki")

 - Download, compile, and install the standalone version of the IMA LTP test programs in /usr/local/bin.

Discussion for Home page

fpchct — Thu, 21 Sep 2017 02:04:19 -0000

In Ubuntu 16.04 I do the following steps to digitally signed.

@Enable EVM
echo "1" > /sys/kernel/security/evm

@Create keys folder
$ su -c 'mkdir -p /etc/keys'

@To create and save the kernel master key (user type):
$ su -c 'modprobe trusted encrypted'
$ su -c 'keyctl add user kmk-user "dd if=/dev/urandom bs=1 count=32 2>/dev/null" @u'
$ su -c 'keyctl pipe keyctl search @u user kmk-user > /etc/keys/kmk-user.blob'

@Create the EVM encrypted key
$ su -c 'keyctl add encrypted evm-key "new user:kmk-user 32" @u'
$ su -c 'keyctl pipe keyctl search @u encrypted evm-key >/etc/keys/evm-user.blob'

@generate unencrypted private key
openssl genrsa -out privkey_evm.pem 1024

@Image Labeling : whole file-system
sudo find / ( -fstype rootfs -o -fstype ext3 -o -fstype ext4 ) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;

sudo find / ( -fstype rootfs -o -fstype ext3 -o -fstype ext4 ) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl ima_sign --imahash '{}' -print \;

@check security.ima content
evmctl ima_sign --hashalgo sha256 --rsa --key /etc/keys/privkey_evm.pem -t f /home/my/test.sh
getfattr -e hex -m security -d /home/my/test.sh

In the last step, i can see the signature for tset.sh file.
However, i have no idea how to enable system verification function to prevent the no signature file be executed.
Does anyone can help it?
THX

Home modified by mzohar

mzohar — Thu, 08 Oct 2015 14:08:36 -0000

--- v22
+++ v23
@@ -123,17 +123,25 @@

 - Download, compile, and install the standalone version of the IMA LTP test programs in /usr/local/bin.

-    $ wget -O ltp-ima-standalone.tar http://downloads.sf.net/project/linux-ima/linux-ima/ltp-ima-standalone-v1.tar.gz
-    $ tar -xvzf ltp-ima-standalone.tar.gz
-    ima-tests/
-    ima-tests/test.h
+    $ wget -O ltp-ima-standalone-v2.tar.gz http://downloads.sf.net/project/linux-ima/linux-ima/ltp-ima-standalone-v2.tar.gz
+    $ tar -xvzf ltp-ima-standalone-v2.tar.gz
+    ima-tests/Makefile
     ima-tests/README
-    ima-tests/Makefile
-    ima-tests/ltp-tst-replacement.c
-    ima-tests/config.h
     ima-tests/ima_boot_aggregate.c
     ima-tests/ima_measure.c
     ima-tests/ima_mmap.c
+    ima-tests/ima_sigv2.c
+    ima-tests/ltp-tst-replacement.c
+    ima-tests/pkeys.c
+    ima-tests/rsa_oid.c
+    ima-tests/config.h
+    ima-tests/debug.h
+    ima-tests/hash_info.h
+    ima-tests/ima_sigv2.h
+    ima-tests/list.h
+    ima-tests/pkeys.h
+    ima-tests/rsa.h
+    ima-tests/test.h
     $ cd ima-tests
     $ make 
     $ su -c 'make install'