1 |
swift 12/12/29 18:18:27 |
2 |
|
3 |
Modified: ima-guide.xml |
4 |
Log: |
5 |
Add SELinux types to not measure/appraise |
6 |
|
7 |
Revision Changes Path |
8 |
1.6 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.5&r2=1.6 |
13 |
|
14 |
Index: ima-guide.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v |
17 |
retrieving revision 1.5 |
18 |
retrieving revision 1.6 |
19 |
diff -u -r1.5 -r1.6 |
20 |
--- ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5 |
21 |
+++ ima-guide.xml 29 Dec 2012 18:18:27 -0000 1.6 |
22 |
@@ -1,6 +1,6 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
25 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ --> |
26 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $ --> |
27 |
|
28 |
<guide lang="en"> |
29 |
<title>Using Integrity Measurement Architecture in Gentoo</title> |
30 |
@@ -21,7 +21,7 @@ |
31 |
<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> |
32 |
<license version="3.0" /> |
33 |
|
34 |
-<version>5</version> |
35 |
+<version>6</version> |
36 |
<date>2012-12-29</date> |
37 |
|
38 |
<chapter> |
39 |
@@ -540,9 +540,36 @@ |
40 |
dont_appraise fsmagic=0xf97cff8c |
41 |
<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment> |
42 |
dont_appraise fsmagic=0x27e0eb |
43 |
-<comment># Do not measure all types that have the "logfile" SELinux attribute</comment> |
44 |
-dont_measure obj_type=logfile |
45 |
-dont_appraise obj_type=logfile |
46 |
+<comment># Do not measure all types that have the "logfile" SELinux attribute |
47 |
+# You can use seinfo -alogfile -x to get an overview of all these types</comment> |
48 |
+dont_measure obj_type=initrc_var_log_t |
49 |
+dont_measure obj_type=nscd_log_t |
50 |
+dont_measure obj_type=auth_cache_t |
51 |
+dont_measure obj_type=cron_log_t |
52 |
+dont_measure obj_type=faillog_t |
53 |
+dont_measure obj_type=lastlog_t |
54 |
+dont_measure obj_type=puppet_log_t |
55 |
+dont_measure obj_type=var_log_t |
56 |
+dont_measure obj_type=wtmp_t |
57 |
+dont_measure obj_type=portage_log_t |
58 |
+dont_measure obj_type=getty_log_t |
59 |
+dont_measure obj_type=rsync_log_t |
60 |
+dont_measure obj_type=fsadm_log_t |
61 |
+dont_measure obj_type=auditd_log_t |
62 |
+dont_appraise obj_type=initrc_var_log_t |
63 |
+dont_appraise obj_type=nscd_log_t |
64 |
+dont_appraise obj_type=auth_cache_t |
65 |
+dont_appraise obj_type=cron_log_t |
66 |
+dont_appraise obj_type=faillog_t |
67 |
+dont_appraise obj_type=lastlog_t |
68 |
+dont_appraise obj_type=puppet_log_t |
69 |
+dont_appraise obj_type=var_log_t |
70 |
+dont_appraise obj_type=wtmp_t |
71 |
+dont_appraise obj_type=portage_log_t |
72 |
+dont_appraise obj_type=getty_log_t |
73 |
+dont_appraise obj_type=rsync_log_t |
74 |
+dont_appraise obj_type=fsadm_log_t |
75 |
+dont_appraise obj_type=auditd_log_t |
76 |
<comment># Remainder of the defaults</comment> |
77 |
measure func=FILE_MMAP mask=MAY_EXEC |
78 |
measure func=BPRM_CHECK mask=MAY_EXEC |
79 |
@@ -559,6 +586,31 @@ |
80 |
the information you need. |
81 |
</p> |
82 |
|
83 |
+<p> |
84 |
+Have the policy be loaded in as soon as possible, either in an initramfs or |
85 |
+early in the boot process through an init script in the <e>sysinit</e> runlevel. |
86 |
+I keep my policy in <path>/etc/ima</path> and use the following small init |
87 |
+script to load it early on: |
88 |
+</p> |
89 |
+ |
90 |
+<pre caption="Init script to load a custom ima policy"> |
91 |
+#!/sbin/runscript |
92 |
+# Copyright 1999-2012 Gentoo Foundation |
93 |
+# Distributed under the terms of the GNU General Public License v2 |
94 |
+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $ |
95 |
+ |
96 |
+description="Load in custom IMA policy" |
97 |
+ |
98 |
+depend() { |
99 |
+ need sysfs |
100 |
+} |
101 |
+ |
102 |
+start() { |
103 |
+ ebegin "Loading custom IMA policy" |
104 |
+ cat /etc/ima/policy.conf > /sys/kernel/security/ima/policy |
105 |
+ eend $? |
106 |
+} |
107 |
+</pre> |
108 |
</body> |
109 |
</section> |
110 |
</chapter> |