1 |
swift 12/12/27 20:32:39 |
2 |
|
3 |
Modified: ima-guide.xml |
4 |
Log: |
5 |
Further updates on IMA |
6 |
|
7 |
Revision Changes Path |
8 |
1.3 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.2&r2=1.3 |
13 |
|
14 |
Index: ima-guide.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v |
17 |
retrieving revision 1.2 |
18 |
retrieving revision 1.3 |
19 |
diff -u -r1.2 -r1.3 |
20 |
--- ima-guide.xml 26 Dec 2012 20:07:30 -0000 1.2 |
21 |
+++ ima-guide.xml 27 Dec 2012 20:32:39 -0000 1.3 |
22 |
@@ -1,6 +1,6 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
25 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.2 2012/12/26 20:07:30 swift Exp $ --> |
26 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.3 2012/12/27 20:32:39 swift Exp $ --> |
27 |
|
28 |
<guide lang="en"> |
29 |
<title>Using Integrity Measurement Architecture in Gentoo</title> |
30 |
@@ -21,8 +21,8 @@ |
31 |
<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> |
32 |
<license version="3.0" /> |
33 |
|
34 |
-<version>2</version> |
35 |
-<date>2012-12-26</date> |
36 |
+<version>3</version> |
37 |
+<date>2012-12-27</date> |
38 |
|
39 |
<chapter> |
40 |
<title>Purpose of IMA</title> |
41 |
@@ -48,8 +48,8 @@ |
42 |
</p> |
43 |
|
44 |
<p> |
45 |
-With a pending patch, called the <e>IMA appraisal patch</e>, |
46 |
-the IMA subsystem can even register the measured |
47 |
+Since kernel 3.7, an additional patch, called the <e>IMA appraisal patch</e>, |
48 |
+has been merged within the IMA subsystem so it can even register the measured |
49 |
value as an extended attribute, and after subsequent measurement(s) |
50 |
validate this extended attribute against the measured value and refuse |
51 |
to load the file (or execute the application) if the hash does not match. |
52 |
@@ -81,6 +81,36 @@ |
53 |
|
54 |
</body> |
55 |
</section> |
56 |
+<section> |
57 |
+<title>The Big Fat Warnings</title> |
58 |
+<body> |
59 |
+ |
60 |
+<p> |
61 |
+Using IMA on your system is currently only recommended for development purposes. |
62 |
+Gentoo Hardened is working on integrating IMA properly, so please be aware |
63 |
+that: |
64 |
+</p> |
65 |
+ |
66 |
+<ul> |
67 |
+ <li> |
68 |
+ users might be able to have your machine run out of (kernel) memory by |
69 |
+ having (root-owned) processes generate new files over and over again, which |
70 |
+ all get measured and their hashes stored |
71 |
+ </li> |
72 |
+ <li> |
73 |
+ the system might have issues booting if not all files have their hash |
74 |
+ registered properly; you are easily warned if this is the case through the |
75 |
+ Linux audit subsystem |
76 |
+ </li> |
77 |
+</ul> |
78 |
+ |
79 |
+<p> |
80 |
+We are working on fine-tuning the default policies so that measurements only |
81 |
+occur on legitimate resources. |
82 |
+</p> |
83 |
+ |
84 |
+</body> |
85 |
+</section> |
86 |
</chapter> |
87 |
|
88 |
<chapter> |
89 |
@@ -91,10 +121,9 @@ |
90 |
|
91 |
<p> |
92 |
First of all, enable the IMA subsystem in the Linux kernel configuration. |
93 |
-IMA is supported in the main tree since 2.6.30, and it is expected that |
94 |
-the IMA appraisal patch (needed when you want the system to stop if it |
95 |
-detects an off-line modified file) will hit the main tree with Linux |
96 |
-3.7. |
97 |
+IMA is supported in the main tree since 2.6.30, and IMA appraisal (needed when |
98 |
+you want the system to stop if it detects an off-line modified file) is merged |
99 |
+in the main tree since 3.7. |
100 |
</p> |
101 |
|
102 |
<pre caption="Linux kernel configuration for IMA"> |
103 |
@@ -104,7 +133,7 @@ |
104 |
CONFIG_IMA_AUDIT=y |
105 |
CONFIG_IMA_LSM_RULES=y |
106 |
|
107 |
-<comment># Only if the IMA appraisal patch is available:</comment> |
108 |
+<comment># Since 3.7:</comment> |
109 |
CONFIG_INTEGRITY_SIGNATURE=y |
110 |
CONFIG_IMA_APPRAISE=y |
111 |
</pre> |
112 |
@@ -122,7 +151,7 @@ |
113 |
<pre caption="Bootloader configuration to enable IMA TCB policy"> |
114 |
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i> |
115 |
|
116 |
-<comment># Only if IMA appraisal patch is enabled:</comment> |
117 |
+<comment># Only if IMA appraisal is wanted:</comment> |
118 |
kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i> |
119 |
</pre> |
120 |
|
121 |
@@ -240,7 +269,7 @@ |
122 |
<body> |
123 |
|
124 |
<note> |
125 |
-This is only applicable when IMA appraisal patch is enabled. |
126 |
+This is only applicable when IMA appraisal is enabled. |
127 |
</note> |
128 |
|
129 |
<p> |
130 |
@@ -251,13 +280,21 @@ |
131 |
<p> |
132 |
Next, have all files on the file system checked and their value stored as an |
133 |
extended attribute. This is done by reading all files that the default appraisal |
134 |
-policy will check and take action on (which is all root-owned files). |
135 |
+policy will check and take action on (which is all root-owned files). Note that |
136 |
+this can take a long time... |
137 |
</p> |
138 |
|
139 |
<pre caption="Registering all files"> |
140 |
-~# <i>find / \( -fstype rootfs -o -fstype ext4 -a -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;</i> |
141 |
+~# <i>find / \( -fstype rootfs -o -fstype ext4 \) -type -uid 0 -exec head -n 1 '{}' > /dev/null \;</i> |
142 |
</pre> |
143 |
|
144 |
+<p> |
145 |
+You might also need to bind-mount the root file system somewhere (like on |
146 |
+<path>/mnt/gentoo</path>) and do the same for the <path>lib64/rc/init.d</path> |
147 |
+location as well as other locations that contain files but become hidden once |
148 |
+the system mounts another file system on top of it. |
149 |
+</p> |
150 |
+ |
151 |
<p> |
152 |
When done, you should be able to see the registered hash value as an extended |
153 |
attribute: |
154 |
@@ -281,7 +318,8 @@ |
155 |
<p> |
156 |
You can check if this works by booting with <c>ima_appraise=off</c> and changing |
157 |
the contents of a root-owned file (or the value of the extended attribute) and |
158 |
-reboot with <c>ima_appraise=enforce</c>. |
159 |
+reboot with <c>ima_appraise=enforce</c>, or by directly editing virtual guest |
160 |
+images. |
161 |
</p> |
162 |
|
163 |
</body> |
164 |
@@ -302,9 +340,23 @@ |
165 |
<p> |
166 |
To sign such immutable files (like kernel modules and application code), you |
167 |
need to use the <c>evmctl</c> command provided by the |
168 |
-<path>sys-admin/ima-evm-utils</path> package: |
169 |
+<path>sys-admin/ima-evm-utils</path> package (currently only available in the |
170 |
+hardened-dev overlay). But first, setup the kernel keyring: |
171 |
</p> |
172 |
|
173 |
+<pre caption="Loading the public key in the IMA keyring"> |
174 |
+~# <i>ima_id=`keyctl newring _ima @u`</i> |
175 |
+~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i> |
176 |
+</pre> |
177 |
+ |
178 |
+<p> |
179 |
+This allows the IMA subsystem to validate the signature (which is also needed |
180 |
+when initially setting the signature) by loading the public key onto the IMA |
181 |
+keyring. You will need to do this every time the system boots, so it makes |
182 |
+sense to do so within an initramfs (early in the boot process): |
183 |
+</p> |
184 |
+ |
185 |
+ |
186 |
<pre caption="Signing files to mark them as immutable"> |
187 |
~# <i>find /lib/modules -name "*.ko" -type f -uid 0 -exec \ |
188 |
evmctl sign --imasig '{}' /path/to/rsa_private.pem \;</i> |
189 |
@@ -326,15 +378,101 @@ |
190 |
</pre> |
191 |
|
192 |
<p> |
193 |
-To allow the IMA subsystem to validate the signature, you will need to load the |
194 |
-public key onto the IMA keyring. You will need to do this every time the system |
195 |
-boots, so it makes sense to do so within an initramfs (early in the boot |
196 |
-process): |
197 |
+Immutable file support is mainly used to digitally sign the Linux kernel and the |
198 |
+kernel modules and is supported through the EVM technology (which we will |
199 |
+discuss in different documentation) but works well on ELF and other binaries as |
200 |
+well. |
201 |
</p> |
202 |
|
203 |
-<pre caption="Loading the public key in the IMA keyring"> |
204 |
-~# <i>ima_id=`keyctl newring _ima @u`</i> |
205 |
-~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i> |
206 |
+</body> |
207 |
+</section> |
208 |
+</chapter> |
209 |
+ |
210 |
+<chapter> |
211 |
+<title>Asked Questions with Answers</title> |
212 |
+<section> |
213 |
+<title>How do I know IMA with appraisal is working?</title> |
214 |
+<body> |
215 |
+ |
216 |
+<p> |
217 |
+This is as simple as finding a file that does not have its hash value stored as |
218 |
+an extended attribute while ima_appraise is in enforcing mode. |
219 |
+</p> |
220 |
+ |
221 |
+<pre caption="Checking if IMA with appraisal is working"> |
222 |
+# <i>getfattr -m . -d /etc/mtab</i> |
223 |
+getfattr: Removing leading '/' from absolute path names |
224 |
+# file: etc/mtab |
225 |
+security.selinux="system_u:object_r:etc_runtime_t" |
226 |
+ |
227 |
+# <i>cat /etc/mtab</i> |
228 |
+cat: /etc/mtab: Permission denied |
229 |
+ |
230 |
+# <i>dmesg | tail -1</i> |
231 |
+[ 256.756465] type=1800 audit(1356637858.947:53): pid=3852 uid=0 auid=0 ses=2 |
232 |
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="missing-hash" comm="cat" |
233 |
+name="/etc/mtab" dev="dm-2" ino=394144 res=0 |
234 |
+</pre> |
235 |
+ |
236 |
+<p> |
237 |
+In the above example, the IMA subsystem reports that the <path>/etc/mtab</path> |
238 |
+file misses its hash value (which should be stored as <e>security.ima</e>) and |
239 |
+as such is denying the <c>cat</c> application access to it. |
240 |
+</p> |
241 |
+ |
242 |
+<p> |
243 |
+If you can miss the file (such as with <path>/etc/mtab</path>) you can remove it |
244 |
+and regenerate it if you wish: |
245 |
+</p> |
246 |
+ |
247 |
+<pre caption="Regenerating file"> |
248 |
+# <i>rm /etc/mtab</i> |
249 |
+# <i>cat /proc/mounts > /etc/mtab</i> |
250 |
+# <i>restorecon /etc/mtab</i> <comment># If using SELinux</comment> |
251 |
+# <i>evmctl ima_hash /etc/mtab</i> |
252 |
+# <i>getfattr -m . -d /etc/mtab</i> |
253 |
+getfattr: Removing leading '/' from absolute path names |
254 |
+# file: etc/mtab |
255 |
+security.ima=0sAUlIU5ffoobWOh0FsSIbgh9Ac8YK |
256 |
+security.selinux="root:object_r:etc_runtime_t" |
257 |
+</pre> |
258 |
+ |
259 |
+</body> |
260 |
+</section> |
261 |
+<section> |
262 |
+<title>I was able to edit an 'immutable' file and still run it. How come?</title> |
263 |
+<body> |
264 |
+ |
265 |
+<p> |
266 |
+If you digitally signed a script using <c>evmctl sign --imasig <file> |
267 |
+<private-key></c> and then edited the file with <c>vim</c>, then this |
268 |
+behavior is to be expected. <c>vim</c> removes the original file and replaces it |
269 |
+with a new one. The newly created file is given an appropriate hash (but no |
270 |
+digital signature of course) and thus you can still execute it. |
271 |
+</p> |
272 |
+ |
273 |
+<p> |
274 |
+The use of digital signatures is more for kernel modules and ELF binaries. But |
275 |
+below an example of how it does work - if you edit the file rather than replace |
276 |
+it. |
277 |
+</p> |
278 |
+ |
279 |
+<pre caption="Example of digitally signed file"> |
280 |
+# <i>evmctl sign --imasig ./test.sh /root/rsa_private.pem</i> |
281 |
+# <i>./test.sh</i> |
282 |
+Hello World (again) |
283 |
+# echo "echo \"And now...\"" >> test.sh |
284 |
+# <i>./test.sh</i> |
285 |
+bash: ./test.sh: Permission denied |
286 |
+# <i>cat test.sh</i> |
287 |
+cat: test.sh: Permission denied |
288 |
+# <i>dmesg | tail -2</i> |
289 |
+[ 643.211490] type=1800 audit(1356639603.315:37): pid=3956 uid=0 auid=0 ses=3 |
290 |
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature" |
291 |
+comm="bash" name="/bin/test.sh" dev="dm-2" ino=131466 res=0 |
292 |
+[ 649.123917] type=1800 audit(1356639609.227:38): pid=3958 uid=0 auid=0 ses=3 |
293 |
+subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature" |
294 |
+comm="cat" name="/bin/test.sh" dev="dm-2" ino=131466 res=0 |
295 |
</pre> |
296 |
|
297 |
</body> |