[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml - gentoo-commits

From:	"Sven Vermeulen (swift)" <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
Date:	Sat, 29 Dec 2012 13:11:19
Message-Id:	`20121229131104.B863E2171D@flycatcher.gentoo.org`

1

swift       12/12/29 13:11:04

2

3

  Modified:             ima-guide.xml

4

  Log:

5

  Add info on custom policies

6

7

Revision  Changes    Path

8

1.5                  xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&content-type=text/plain

12

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.4&r2=1.5

13

14

Index: ima-guide.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v

17

retrieving revision 1.4

18

retrieving revision 1.5

19

diff -u -r1.4 -r1.5

20

--- ima-guide.xml	28 Dec 2012 20:09:04 -0000	1.4

21

+++ ima-guide.xml	29 Dec 2012 13:11:04 -0000	1.5

22

@@ -1,6 +1,6 @@

23

 <?xml version='1.0' encoding='UTF-8'?>

24

 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

25

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.4 2012/12/28 20:09:04 swift Exp $ -->

26

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ -->

27

28

 <guide lang="en">

29

 <title>Using Integrity Measurement Architecture in Gentoo</title>

30

@@ -21,8 +21,8 @@

31

 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->

32

 <license version="3.0" />

33

34

-<version>4</version>

35

-<date>2012-12-28</date>

36

+<version>5</version>

37

+<date>2012-12-29</date>

38

39

 <chapter>

40

 <title>Purpose of IMA</title>

41

@@ -152,13 +152,14 @@

42

 kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i>

43

44

 <comment># Only if IMA appraisal is wanted:</comment>

45

-kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i>

46

+kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=fix ima_appraise_tcb</i>

47

 </pre>

48

49

<p>

50

-However, at the first boot, you will need to set <c>ima_appraise=fix</c>

51

-instead. Otherwise, your system will surely refuse to boot as no preregistered

52

-values are available.

53

+We currently set <c>ima_appraise=fix</c> because the integrity hashes have not

54

+been stored yet. If we would run with <c>ima_appraise=enforce</c> immediately,

55

+the system would simply refuse to boot properly as all file accesses would be

56

+denied. We will switch to <c>ima_appraise=enforce</c> later.

57

 </p>

58

59

 </body>

60

@@ -195,6 +196,17 @@

61

 /dev/vda1  /  ext4  noatime<i>,iversion</i>  1 2

62

 </pre>

63

64

+<p>

65

+For the root file system, you might want to enable it through the

66

+<c>rootflags</c> kernel parameter as well so that it gets mounted immediately

67

+with i_version support when the Linux kernel mounts the root file system.

68

+</p>

69

+

70

+<pre caption="Using rootflags in the bootloader configuration">

71

+<comment># Example kernel line for a GRUB setup</comment>

72

+kernel /boot/kernel root=/dev/vg/root rootflags=i_version dolvm ima_tcb ima_appraise=enforce ima_appraise_tcb

73

+</pre>

74

+

75

 </body>

76

 </section>

77

 </chapter>

78

@@ -310,7 +322,8 @@

79

<p>

80

 Finally, reboot with <c>ima_appraise=enforce</c>. The system should now run with

81

 appraisal enabled, causing the system to validate the hash against the stored

82

-value before using it. If it doesn't match, then the file is not loaded. If it

83

+value before using it. If it doesn't match, then the file is not loaded and any

84

+access towards it will be denied with a <e>Permission denied</e> error. If it

85

 does match, and afterwards the file is modified, then the new hash is stored as

86

 extended attribute.

87

 </p>

88

@@ -477,6 +490,77 @@

89

90

 </body>

91

 </section>

92

+<section>

93

+<title>How do I load in my own, custom IMA policy?</title>

94

+<body>

95

+

96

+<p>

97

+You can load in an IMA policy by <c>cat</c>'ing it into

98

+<path>/sys/kernel/security/ima/policy</path>. If the policy is accepted, then

99

+the command will succeed and the <path>policy</path> (pseudo)file will disappear

100

+(this is by design, so that malicious users cannot alter the policy once

101

+loaded).

102

+</p>

103

+

104

+<p>

105

+Below is an example custom policy, taken from the default one with one addition:

106

+ask it not to measure and appraise log files (through the use of the SELinux

107

+<c>logfile</c> attribute).

108

+</p>

109

+

110

+<pre caption="Example IMA custom policy">

111

+<comment># Magics can be found in kernel/include/uapi/linux/magic.h

112

+# Default can be found in security/integrity/ima/ima_policy.c

113

+# PROC_SUPER_MAGIC = 0x9fa0</comment>

114

+dont_measure fsmagic=0x9fa0

115

+dont_appraise fsmagic=0x9fa0

116

+<comment># SYSFS_MAGIC = 0x62656572</comment>

117

+dont_measure fsmagic=0x62656572

118

+dont_appraise fsmagic=0x62656572

119

+<comment># DEBUGFS_MAGIC = 0x64626720</comment>

120

+dont_measure fsmagic=0x64626720

121

+dont_appraise fsmagic=0x64626720

122

+<comment># TMPFS_MAGIC = 0x01021994</comment>

123

+dont_measure fsmagic=0x01021994

124

+dont_appraise fsmagic=0x01021994

125

+<comment># RAMFS_MAGIC = 0x858458f6</comment>

126

+dont_measure fsmagic=0x858458f6

127

+dont_appraise fsmagic=0x858458f6

128

+<comment># DEVPTS_SUPER_MAGIC = 0x1cd1</comment>

129

+dont_measure fsmagic=0x1cd1

130

+dont_appraise fsmagic=0x1cd1

131

+<comment># BINFMTFS_MAGIC = 0x42494e4d</comment>

132

+dont_measure fsmagic=0x42494e4d

133

+dont_appraise fsmagic=0x42494e4d

134

+<comment># SECURITYFS_MAGIC = 0x73636673</comment>

135

+dont_measure fsmagic=0x73636673

136

+dont_appraise fsmagic=0x73636673

137

+<comment># SELINUX_MAGIC = 0xf97cff8c</comment>

138

+dont_measure fsmagic=0xf97cff8c

139

+dont_appraise fsmagic=0xf97cff8c

140

+<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>

141

+dont_appraise fsmagic=0x27e0eb

142

+<comment># Do not measure all types that have the "logfile" SELinux attribute</comment>

143

+dont_measure obj_type=logfile

144

+dont_appraise obj_type=logfile

145

+<comment># Remainder of the defaults</comment>

146

+measure func=FILE_MMAP mask=MAY_EXEC

147

+measure func=BPRM_CHECK mask=MAY_EXEC

148

+measure func=FILE_CHECK mask=MAY_READ uid=0

149

+appraise fowner=0

150

+</pre>

151

+

152

+<p>

153

+Make sure no empty lines are in the policy; if not, it will be refused. You can

154

+check the output of <c>dmesg</c> for hints why the policy was refused (it shows

155

+what was accepted, so the next line would be a not-accepted line), or the audit

156

+logs (but you will need to have <c>auditd</c> running) if you get lines such as

157

+<e>audit_printk_skb: XX callbacks suppressed</e> as you then might not have all

158

+the information you need.

159

+</p>

160

+

161

+</body>

162

+</section>

163

 </chapter>

164

165

 <!-- Damn, need access to a TPM-powered system myself to try this out

1	swift 12/12/29 13:11:04
2
3	Modified: ima-guide.xml
4	Log:
5	Add info on custom policies
6
7	Revision Changes Path
8	1.5 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.5&content-type=text/plain
12	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.4&r2=1.5
13
14	Index: ima-guide.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
17	retrieving revision 1.4
18	retrieving revision 1.5
19	diff -u -r1.4 -r1.5
20	--- ima-guide.xml 28 Dec 2012 20:09:04 -0000 1.4
21	+++ ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5
22	@@ -1,6 +1,6 @@
23	<?xml version='1.0' encoding='UTF-8'?>
24	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.4 2012/12/28 20:09:04 swift Exp $ -->
26	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ -->
27
28	<guide lang="en">
29	<title>Using Integrity Measurement Architecture in Gentoo</title>
30	@@ -21,8 +21,8 @@
31	<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
32	<license version="3.0" />
33
34	-<version>4</version>
35	-<date>2012-12-28</date>
36	+<version>5</version>
37	+<date>2012-12-29</date>
38
39	<chapter>
40	<title>Purpose of IMA</title>
41	@@ -152,13 +152,14 @@
42	kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i>
43
44	<comment># Only if IMA appraisal is wanted:</comment>
45	-kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i>
46	+kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=fix ima_appraise_tcb</i>
47	</pre>
48
49	<p>
50	-However, at the first boot, you will need to set <c>ima_appraise=fix</c>
51	-instead. Otherwise, your system will surely refuse to boot as no preregistered
52	-values are available.
53	+We currently set <c>ima_appraise=fix</c> because the integrity hashes have not
54	+been stored yet. If we would run with <c>ima_appraise=enforce</c> immediately,
55	+the system would simply refuse to boot properly as all file accesses would be
56	+denied. We will switch to <c>ima_appraise=enforce</c> later.
57	</p>
58
59	</body>
60	@@ -195,6 +196,17 @@
61	/dev/vda1 / ext4 noatime<i>,iversion</i> 1 2
62	</pre>
63
64	+<p>
65	+For the root file system, you might want to enable it through the
66	+<c>rootflags</c> kernel parameter as well so that it gets mounted immediately
67	+with i_version support when the Linux kernel mounts the root file system.
68	+</p>
69	+
70	+<pre caption="Using rootflags in the bootloader configuration">
71	+<comment># Example kernel line for a GRUB setup</comment>
72	+kernel /boot/kernel root=/dev/vg/root rootflags=i_version dolvm ima_tcb ima_appraise=enforce ima_appraise_tcb
73	+</pre>
74	+
75	</body>
76	</section>
77	</chapter>
78	@@ -310,7 +322,8 @@
79	<p>
80	Finally, reboot with <c>ima_appraise=enforce</c>. The system should now run with
81	appraisal enabled, causing the system to validate the hash against the stored
82	-value before using it. If it doesn't match, then the file is not loaded. If it
83	+value before using it. If it doesn't match, then the file is not loaded and any
84	+access towards it will be denied with a <e>Permission denied</e> error. If it
85	does match, and afterwards the file is modified, then the new hash is stored as
86	extended attribute.
87	</p>
88	@@ -477,6 +490,77 @@
89
90	</body>
91	</section>
92	+<section>
93	+<title>How do I load in my own, custom IMA policy?</title>
94	+<body>
95	+
96	+<p>
97	+You can load in an IMA policy by <c>cat</c>'ing it into
98	+<path>/sys/kernel/security/ima/policy</path>. If the policy is accepted, then
99	+the command will succeed and the <path>policy</path> (pseudo)file will disappear
100	+(this is by design, so that malicious users cannot alter the policy once
101	+loaded).
102	+</p>
103	+
104	+<p>
105	+Below is an example custom policy, taken from the default one with one addition:
106	+ask it not to measure and appraise log files (through the use of the SELinux
107	+<c>logfile</c> attribute).
108	+</p>
109	+
110	+<pre caption="Example IMA custom policy">
111	+<comment># Magics can be found in kernel/include/uapi/linux/magic.h
112	+# Default can be found in security/integrity/ima/ima_policy.c
113	+# PROC_SUPER_MAGIC = 0x9fa0</comment>
114	+dont_measure fsmagic=0x9fa0
115	+dont_appraise fsmagic=0x9fa0
116	+<comment># SYSFS_MAGIC = 0x62656572</comment>
117	+dont_measure fsmagic=0x62656572
118	+dont_appraise fsmagic=0x62656572
119	+<comment># DEBUGFS_MAGIC = 0x64626720</comment>
120	+dont_measure fsmagic=0x64626720
121	+dont_appraise fsmagic=0x64626720
122	+<comment># TMPFS_MAGIC = 0x01021994</comment>
123	+dont_measure fsmagic=0x01021994
124	+dont_appraise fsmagic=0x01021994
125	+<comment># RAMFS_MAGIC = 0x858458f6</comment>
126	+dont_measure fsmagic=0x858458f6
127	+dont_appraise fsmagic=0x858458f6
128	+<comment># DEVPTS_SUPER_MAGIC = 0x1cd1</comment>
129	+dont_measure fsmagic=0x1cd1
130	+dont_appraise fsmagic=0x1cd1
131	+<comment># BINFMTFS_MAGIC = 0x42494e4d</comment>
132	+dont_measure fsmagic=0x42494e4d
133	+dont_appraise fsmagic=0x42494e4d
134	+<comment># SECURITYFS_MAGIC = 0x73636673</comment>
135	+dont_measure fsmagic=0x73636673
136	+dont_appraise fsmagic=0x73636673
137	+<comment># SELINUX_MAGIC = 0xf97cff8c</comment>
138	+dont_measure fsmagic=0xf97cff8c
139	+dont_appraise fsmagic=0xf97cff8c
140	+<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
141	+dont_appraise fsmagic=0x27e0eb
142	+<comment># Do not measure all types that have the "logfile" SELinux attribute</comment>
143	+dont_measure obj_type=logfile
144	+dont_appraise obj_type=logfile
145	+<comment># Remainder of the defaults</comment>
146	+measure func=FILE_MMAP mask=MAY_EXEC
147	+measure func=BPRM_CHECK mask=MAY_EXEC
148	+measure func=FILE_CHECK mask=MAY_READ uid=0
149	+appraise fowner=0
150	+</pre>
151	+
152	+<p>
153	+Make sure no empty lines are in the policy; if not, it will be refused. You can
154	+check the output of <c>dmesg</c> for hints why the policy was refused (it shows
155	+what was accepted, so the next line would be a not-accepted line), or the audit
156	+logs (but you will need to have <c>auditd</c> running) if you get lines such as
157	+<e>audit_printk_skb: XX callbacks suppressed</e> as you then might not have all
158	+the information you need.
159	+</p>
160	+
161	+</body>
162	+</section>
163	</chapter>
164
165	<!-- Damn, need access to a TPM-powered system myself to try this out

Gentoo Archives: gentoo-commits