From: Subrata <sub...@us...> - 2009-03-31 13:58:22
|
Update of /cvsroot/ltp/ltp/testcases/kernel/security/integrity/ima In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv21227/ltp/testcases/kernel/security/integrity/ima Added Files: Makefile README Log Message: This patch adds Integrity Measurement Architecture(IMA) testing support: Changes: - updated README - add test for existence of openssl-devel (m4/ltp-crypto.m4) - add support for finding an audit message in different log files Signed-off-by: Mimi Zohar <zo...@us...>. --- NEW FILE: README --- These testcases test the Integrity Measurement Architecture(IMA). Requirements ------------ A kernel with IMA configured, mount with i_version support, openssl and openssl-devel packages, and auditd, if enabled, with the integrity patch, are required to build and run the IMA testsuite. - Enabling IMA in .config will also enable CRYPTO, SECURITYFS, TCG_TPM, and TPM_TIS. CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y - Both sysfs and securityfs if not mounted, will be mounted. - The testsuite must be executed with root priveleges so that it can access securityfs files, such as: security/ima/policy and security/ima/ascii_runtime_measurement. - Both openssl and openssl-devel must be installed, to build the testsuite. At runtime, if openssl is not installed, many of the tests will skipped. - auditd, if enabled, requires the integrity patch, which is available from https://www.redhat.com/archives/linux-audit/2009-March/msg00016.html. - In order to re-measure a file after it changes, the file system must be mounted with i_version support(Bugzilla 471593). [util-linux-ng-2.14.2-2.fc11.src.rpm] Add 'iversion' in /etc/fstab as: dev/hdb1 /home ext2 defaults,iversion 1 2 To mount the root partition with i_version support, 'iversion' must be added on the remount line in /etc/rc.sysinit: # Remount the root filesystem read-write. update_boot_stage RCmountfs if remount_needed ; then action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion / fi Dependency ---------- The testsuite is dependent on the default policy being enabled, which measures all executables, all files mmapped for execute and all files open for read by root. If the default policy has been replaced, loading another measurement policy will fail, as the policy may only be replaced once per boot. Some of the policy dependency tests might also fail as well. Run tests --------- After doing 'make' and 'make install' from the top-level, - execute './ltp-full-<version>/runltp -f ima' to run the entire testsuite. - To run individual tests, cd into the IMA directory: ./ltp-full-<version>/testcases/kernel/security/integrity/ima/tests/ and execute the individual scripts. System State after running the Testsuite ---------------------------------------- After running the testsuite, the default measurement policy has been replaced with an identical policy. If you want to install a different policy, such as an LSM specific one, a reboot is required. --- NEW FILE: Makefile --- SUBDIRS = src tests policy all: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i ; done install: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i install ; done clean: @set -e; for i in $(SUBDIRS); do $(MAKE) -C $$i clean ; done |