1 |
swift 12/12/29 13:11:04 |
2 |
|
3 |
Modified: ima-guide.xml |
4 |
Log: |
5 |
Add info on custom policies |
6 |
|
7 |
Revision Changes Path |
8 |
1.5 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.4&r2=1.5 |
13 |
|
14 |
Index: ima-guide.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v |
17 |
retrieving revision 1.4 |
18 |
retrieving revision 1.5 |
19 |
diff -u -r1.4 -r1.5 |
20 |
--- ima-guide.xml 28 Dec 2012 20:09:04 -0000 1.4 |
21 |
+++ ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5 |
22 |
@@ -1,6 +1,6 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
25 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.4 2012/12/28 20:09:04 swift Exp $ --> |
26 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ --> |
27 |
|
28 |
<guide lang="en"> |
29 |
<title>Using Integrity Measurement Architecture in Gentoo</title> |
30 |
@@ -21,8 +21,8 @@ |
31 |
<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> |
32 |
<license version="3.0" /> |
33 |
|
34 |
-<version>4</version> |
35 |
-<date>2012-12-28</date> |
36 |
+<version>5</version> |
37 |
+<date>2012-12-29</date> |
38 |
|
39 |
<chapter> |
40 |
<title>Purpose of IMA</title> |
41 |
@@ -152,13 +152,14 @@ |
42 |
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i> |
43 |
|
44 |
<comment># Only if IMA appraisal is wanted:</comment> |
45 |
-kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i> |
46 |
+kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=fix ima_appraise_tcb</i> |
47 |
</pre> |
48 |
|
49 |
<p> |
50 |
-However, at the first boot, you will need to set <c>ima_appraise=fix</c> |
51 |
-instead. Otherwise, your system will surely refuse to boot as no preregistered |
52 |
-values are available. |
53 |
+We currently set <c>ima_appraise=fix</c> because the integrity hashes have not |
54 |
+been stored yet. If we would run with <c>ima_appraise=enforce</c> immediately, |
55 |
+the system would simply refuse to boot properly as all file accesses would be |
56 |
+denied. We will switch to <c>ima_appraise=enforce</c> later. |
57 |
</p> |
58 |
|
59 |
</body> |
60 |
@@ -195,6 +196,17 @@ |
61 |
/dev/vda1 / ext4 noatime<i>,iversion</i> 1 2 |
62 |
</pre> |
63 |
|
64 |
+<p> |
65 |
+For the root file system, you might want to enable it through the |
66 |
+<c>rootflags</c> kernel parameter as well so that it gets mounted immediately |
67 |
+with i_version support when the Linux kernel mounts the root file system. |
68 |
+</p> |
69 |
+ |
70 |
+<pre caption="Using rootflags in the bootloader configuration"> |
71 |
+<comment># Example kernel line for a GRUB setup</comment> |
72 |
+kernel /boot/kernel root=/dev/vg/root rootflags=i_version dolvm ima_tcb ima_appraise=enforce ima_appraise_tcb |
73 |
+</pre> |
74 |
+ |
75 |
</body> |
76 |
</section> |
77 |
</chapter> |
78 |
@@ -310,7 +322,8 @@ |
79 |
<p> |
80 |
Finally, reboot with <c>ima_appraise=enforce</c>. The system should now run with |
81 |
appraisal enabled, causing the system to validate the hash against the stored |
82 |
-value before using it. If it doesn't match, then the file is not loaded. If it |
83 |
+value before using it. If it doesn't match, then the file is not loaded and any |
84 |
+access towards it will be denied with a <e>Permission denied</e> error. If it |
85 |
does match, and afterwards the file is modified, then the new hash is stored as |
86 |
extended attribute. |
87 |
</p> |
88 |
@@ -477,6 +490,77 @@ |
89 |
|
90 |
</body> |
91 |
</section> |
92 |
+<section> |
93 |
+<title>How do I load in my own, custom IMA policy?</title> |
94 |
+<body> |
95 |
+ |
96 |
+<p> |
97 |
+You can load in an IMA policy by <c>cat</c>'ing it into |
98 |
+<path>/sys/kernel/security/ima/policy</path>. If the policy is accepted, then |
99 |
+the command will succeed and the <path>policy</path> (pseudo)file will disappear |
100 |
+(this is by design, so that malicious users cannot alter the policy once |
101 |
+loaded). |
102 |
+</p> |
103 |
+ |
104 |
+<p> |
105 |
+Below is an example custom policy, taken from the default one with one addition: |
106 |
+ask it not to measure and appraise log files (through the use of the SELinux |
107 |
+<c>logfile</c> attribute). |
108 |
+</p> |
109 |
+ |
110 |
+<pre caption="Example IMA custom policy"> |
111 |
+<comment># Magics can be found in kernel/include/uapi/linux/magic.h |
112 |
+# Default can be found in security/integrity/ima/ima_policy.c |
113 |
+# PROC_SUPER_MAGIC = 0x9fa0</comment> |
114 |
+dont_measure fsmagic=0x9fa0 |
115 |
+dont_appraise fsmagic=0x9fa0 |
116 |
+<comment># SYSFS_MAGIC = 0x62656572</comment> |
117 |
+dont_measure fsmagic=0x62656572 |
118 |
+dont_appraise fsmagic=0x62656572 |
119 |
+<comment># DEBUGFS_MAGIC = 0x64626720</comment> |
120 |
+dont_measure fsmagic=0x64626720 |
121 |
+dont_appraise fsmagic=0x64626720 |
122 |
+<comment># TMPFS_MAGIC = 0x01021994</comment> |
123 |
+dont_measure fsmagic=0x01021994 |
124 |
+dont_appraise fsmagic=0x01021994 |
125 |
+<comment># RAMFS_MAGIC = 0x858458f6</comment> |
126 |
+dont_measure fsmagic=0x858458f6 |
127 |
+dont_appraise fsmagic=0x858458f6 |
128 |
+<comment># DEVPTS_SUPER_MAGIC = 0x1cd1</comment> |
129 |
+dont_measure fsmagic=0x1cd1 |
130 |
+dont_appraise fsmagic=0x1cd1 |
131 |
+<comment># BINFMTFS_MAGIC = 0x42494e4d</comment> |
132 |
+dont_measure fsmagic=0x42494e4d |
133 |
+dont_appraise fsmagic=0x42494e4d |
134 |
+<comment># SECURITYFS_MAGIC = 0x73636673</comment> |
135 |
+dont_measure fsmagic=0x73636673 |
136 |
+dont_appraise fsmagic=0x73636673 |
137 |
+<comment># SELINUX_MAGIC = 0xf97cff8c</comment> |
138 |
+dont_measure fsmagic=0xf97cff8c |
139 |
+dont_appraise fsmagic=0xf97cff8c |
140 |
+<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment> |
141 |
+dont_appraise fsmagic=0x27e0eb |
142 |
+<comment># Do not measure all types that have the "logfile" SELinux attribute</comment> |
143 |
+dont_measure obj_type=logfile |
144 |
+dont_appraise obj_type=logfile |
145 |
+<comment># Remainder of the defaults</comment> |
146 |
+measure func=FILE_MMAP mask=MAY_EXEC |
147 |
+measure func=BPRM_CHECK mask=MAY_EXEC |
148 |
+measure func=FILE_CHECK mask=MAY_READ uid=0 |
149 |
+appraise fowner=0 |
150 |
+</pre> |
151 |
+ |
152 |
+<p> |
153 |
+Make sure no empty lines are in the policy; if not, it will be refused. You can |
154 |
+check the output of <c>dmesg</c> for hints why the policy was refused (it shows |
155 |
+what was accepted, so the next line would be a not-accepted line), or the audit |
156 |
+logs (but you will need to have <c>auditd</c> running) if you get lines such as |
157 |
+<e>audit_printk_skb: XX callbacks suppressed</e> as you then might not have all |
158 |
+the information you need. |
159 |
+</p> |
160 |
+ |
161 |
+</body> |
162 |
+</section> |
163 |
</chapter> |
164 |
|
165 |
<!-- Damn, need access to a TPM-powered system myself to try this out |