[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml - gentoo-commits

From:	"Sven Vermeulen (swift)" <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
Date:	Sat, 29 Dec 2012 18:18:38
Message-Id:	`20121229181827.DEE252171D@flycatcher.gentoo.org`

1

swift       12/12/29 18:18:27

2

3

  Modified:             ima-guide.xml

4

  Log:

5

  Add SELinux types to not measure/appraise

6

7

Revision  Changes    Path

8

1.6                  xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&content-type=text/plain

12

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.5&r2=1.6

13

14

Index: ima-guide.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v

17

retrieving revision 1.5

18

retrieving revision 1.6

19

diff -u -r1.5 -r1.6

20

--- ima-guide.xml	29 Dec 2012 13:11:04 -0000	1.5

21

+++ ima-guide.xml	29 Dec 2012 18:18:27 -0000	1.6

22

@@ -1,6 +1,6 @@

23

 <?xml version='1.0' encoding='UTF-8'?>

24

 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

25

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ -->

26

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $ -->

27

28

 <guide lang="en">

29

 <title>Using Integrity Measurement Architecture in Gentoo</title>

30

@@ -21,7 +21,7 @@

31

 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->

32

 <license version="3.0" />

33

34

-<version>5</version>

35

+<version>6</version>

36

 <date>2012-12-29</date>

37

38

 <chapter>

39

@@ -540,9 +540,36 @@

40

 dont_appraise fsmagic=0xf97cff8c

41

 <comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>

42

 dont_appraise fsmagic=0x27e0eb

43

-<comment># Do not measure all types that have the "logfile" SELinux attribute</comment>

44

-dont_measure obj_type=logfile

45

-dont_appraise obj_type=logfile

46

+<comment># Do not measure all types that have the "logfile" SELinux attribute

47

+# You can use seinfo -alogfile -x to get an overview of all these types</comment>

48

+dont_measure obj_type=initrc_var_log_t

49

+dont_measure obj_type=nscd_log_t

50

+dont_measure obj_type=auth_cache_t

51

+dont_measure obj_type=cron_log_t

52

+dont_measure obj_type=faillog_t

53

+dont_measure obj_type=lastlog_t

54

+dont_measure obj_type=puppet_log_t

55

+dont_measure obj_type=var_log_t

56

+dont_measure obj_type=wtmp_t

57

+dont_measure obj_type=portage_log_t

58

+dont_measure obj_type=getty_log_t

59

+dont_measure obj_type=rsync_log_t

60

+dont_measure obj_type=fsadm_log_t

61

+dont_measure obj_type=auditd_log_t

62

+dont_appraise obj_type=initrc_var_log_t

63

+dont_appraise obj_type=nscd_log_t

64

+dont_appraise obj_type=auth_cache_t

65

+dont_appraise obj_type=cron_log_t

66

+dont_appraise obj_type=faillog_t

67

+dont_appraise obj_type=lastlog_t

68

+dont_appraise obj_type=puppet_log_t

69

+dont_appraise obj_type=var_log_t

70

+dont_appraise obj_type=wtmp_t

71

+dont_appraise obj_type=portage_log_t

72

+dont_appraise obj_type=getty_log_t

73

+dont_appraise obj_type=rsync_log_t

74

+dont_appraise obj_type=fsadm_log_t

75

+dont_appraise obj_type=auditd_log_t

76

 <comment># Remainder of the defaults</comment>

77

 measure func=FILE_MMAP mask=MAY_EXEC

78

 measure func=BPRM_CHECK mask=MAY_EXEC

79

@@ -559,6 +586,31 @@

80

 the information you need.

81

 </p>

82

83

+<p>

84

+Have the policy be loaded in as soon as possible, either in an initramfs or

85

+early in the boot process through an init script in the <e>sysinit</e> runlevel.

86

+I keep my policy in <path>/etc/ima</path> and use the following small init

87

+script to load it early on:

88

+</p>

89

+

90

+<pre caption="Init script to load a custom ima policy">

91

+#!/sbin/runscript

92

+# Copyright 1999-2012 Gentoo Foundation

93

+# Distributed under the terms of the GNU General Public License v2

94

+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $

95

+

96

+description="Load in custom IMA policy"

97

+

98

+depend() {

99

+        need sysfs

100

+}

101

+

102

+start() {

103

+        ebegin "Loading custom IMA policy"

104

+        cat /etc/ima/policy.conf > /sys/kernel/security/ima/policy

105

+        eend $?

106

+}

107

+</pre>

108

 </body>

109

 </section>

110

 </chapter>

1	swift 12/12/29 18:18:27
2
3	Modified: ima-guide.xml
4	Log:
5	Add SELinux types to not measure/appraise
6
7	Revision Changes Path
8	1.6 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.6&content-type=text/plain
12	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.5&r2=1.6
13
14	Index: ima-guide.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
17	retrieving revision 1.5
18	retrieving revision 1.6
19	diff -u -r1.5 -r1.6
20	--- ima-guide.xml 29 Dec 2012 13:11:04 -0000 1.5
21	+++ ima-guide.xml 29 Dec 2012 18:18:27 -0000 1.6
22	@@ -1,6 +1,6 @@
23	<?xml version='1.0' encoding='UTF-8'?>
24	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.5 2012/12/29 13:11:04 swift Exp $ -->
26	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $ -->
27
28	<guide lang="en">
29	<title>Using Integrity Measurement Architecture in Gentoo</title>
30	@@ -21,7 +21,7 @@
31	<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
32	<license version="3.0" />
33
34	-<version>5</version>
35	+<version>6</version>
36	<date>2012-12-29</date>
37
38	<chapter>
39	@@ -540,9 +540,36 @@
40	dont_appraise fsmagic=0xf97cff8c
41	<comment># CGROUP_SUPER_MAGIC = 0x27e0eb</comment>
42	dont_appraise fsmagic=0x27e0eb
43	-<comment># Do not measure all types that have the "logfile" SELinux attribute</comment>
44	-dont_measure obj_type=logfile
45	-dont_appraise obj_type=logfile
46	+<comment># Do not measure all types that have the "logfile" SELinux attribute
47	+# You can use seinfo -alogfile -x to get an overview of all these types</comment>
48	+dont_measure obj_type=initrc_var_log_t
49	+dont_measure obj_type=nscd_log_t
50	+dont_measure obj_type=auth_cache_t
51	+dont_measure obj_type=cron_log_t
52	+dont_measure obj_type=faillog_t
53	+dont_measure obj_type=lastlog_t
54	+dont_measure obj_type=puppet_log_t
55	+dont_measure obj_type=var_log_t
56	+dont_measure obj_type=wtmp_t
57	+dont_measure obj_type=portage_log_t
58	+dont_measure obj_type=getty_log_t
59	+dont_measure obj_type=rsync_log_t
60	+dont_measure obj_type=fsadm_log_t
61	+dont_measure obj_type=auditd_log_t
62	+dont_appraise obj_type=initrc_var_log_t
63	+dont_appraise obj_type=nscd_log_t
64	+dont_appraise obj_type=auth_cache_t
65	+dont_appraise obj_type=cron_log_t
66	+dont_appraise obj_type=faillog_t
67	+dont_appraise obj_type=lastlog_t
68	+dont_appraise obj_type=puppet_log_t
69	+dont_appraise obj_type=var_log_t
70	+dont_appraise obj_type=wtmp_t
71	+dont_appraise obj_type=portage_log_t
72	+dont_appraise obj_type=getty_log_t
73	+dont_appraise obj_type=rsync_log_t
74	+dont_appraise obj_type=fsadm_log_t
75	+dont_appraise obj_type=auditd_log_t
76	<comment># Remainder of the defaults</comment>
77	measure func=FILE_MMAP mask=MAY_EXEC
78	measure func=BPRM_CHECK mask=MAY_EXEC
79	@@ -559,6 +586,31 @@
80	the information you need.
81	</p>
82
83	+<p>
84	+Have the policy be loaded in as soon as possible, either in an initramfs or
85	+early in the boot process through an init script in the <e>sysinit</e> runlevel.
86	+I keep my policy in <path>/etc/ima</path> and use the following small init
87	+script to load it early on:
88	+</p>
89	+
90	+<pre caption="Init script to load a custom ima policy">
91	+#!/sbin/runscript
92	+# Copyright 1999-2012 Gentoo Foundation
93	+# Distributed under the terms of the GNU General Public License v2
94	+# $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.6 2012/12/29 18:18:27 swift Exp $
95	+
96	+description="Load in custom IMA policy"
97	+
98	+depend() {
99	+ need sysfs
100	+}
101	+
102	+start() {
103	+ ebegin "Loading custom IMA policy"
104	+ cat /etc/ima/policy.conf > /sys/kernel/security/ima/policy
105	+ eend $?
106	+}
107	+</pre>
108	</body>
109	</section>
110	</chapter>

Gentoo Archives: gentoo-commits