Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Sven Vermeulen (swift)" <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/integrity/docs: ima-guide.xml
Date: Thu, 27 Dec 2012 20:32:50
Message-Id: 20121227203239.B3A2C2171D@flycatcher.gentoo.org
1 swift 12/12/27 20:32:39
2
3 Modified: ima-guide.xml
4 Log:
5 Further updates on IMA
6
7 Revision Changes Path
8 1.3 xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml
9
10 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&view=markup
11 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?rev=1.3&content-type=text/plain
12 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml?r1=1.2&r2=1.3
13
14 Index: ima-guide.xml
15 ===================================================================
16 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v
17 retrieving revision 1.2
18 retrieving revision 1.3
19 diff -u -r1.2 -r1.3
20 --- ima-guide.xml 26 Dec 2012 20:07:30 -0000 1.2
21 +++ ima-guide.xml 27 Dec 2012 20:32:39 -0000 1.3
22 @@ -1,6 +1,6 @@
23 <?xml version='1.0' encoding='UTF-8'?>
24 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.2 2012/12/26 20:07:30 swift Exp $ -->
26 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/integrity/docs/ima-guide.xml,v 1.3 2012/12/27 20:32:39 swift Exp $ -->
27
28 <guide lang="en">
29 <title>Using Integrity Measurement Architecture in Gentoo</title>
30 @@ -21,8 +21,8 @@
31 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
32 <license version="3.0" />
33
34 -<version>2</version>
35 -<date>2012-12-26</date>
36 +<version>3</version>
37 +<date>2012-12-27</date>
38
39 <chapter>
40 <title>Purpose of IMA</title>
41 @@ -48,8 +48,8 @@
42 </p>
43
44 <p>
45 -With a pending patch, called the <e>IMA appraisal patch</e>,
46 -the IMA subsystem can even register the measured
47 +Since kernel 3.7, an additional patch, called the <e>IMA appraisal patch</e>,
48 +has been merged within the IMA subsystem so it can even register the measured
49 value as an extended attribute, and after subsequent measurement(s)
50 validate this extended attribute against the measured value and refuse
51 to load the file (or execute the application) if the hash does not match.
52 @@ -81,6 +81,36 @@
53
54 </body>
55 </section>
56 +<section>
57 +<title>The Big Fat Warnings</title>
58 +<body>
59 +
60 +<p>
61 +Using IMA on your system is currently only recommended for development purposes.
62 +Gentoo Hardened is working on integrating IMA properly, so please be aware
63 +that:
64 +</p>
65 +
66 +<ul>
67 + <li>
68 + users might be able to have your machine run out of (kernel) memory by
69 + having (root-owned) processes generate new files over and over again, which
70 + all get measured and their hashes stored
71 + </li>
72 + <li>
73 + the system might have issues booting if not all files have their hash
74 + registered properly; you are easily warned if this is the case through the
75 + Linux audit subsystem
76 + </li>
77 +</ul>
78 +
79 +<p>
80 +We are working on fine-tuning the default policies so that measurements only
81 +occur on legitimate resources.
82 +</p>
83 +
84 +</body>
85 +</section>
86 </chapter>
87
88 <chapter>
89 @@ -91,10 +121,9 @@
90
91 <p>
92 First of all, enable the IMA subsystem in the Linux kernel configuration.
93 -IMA is supported in the main tree since 2.6.30, and it is expected that
94 -the IMA appraisal patch (needed when you want the system to stop if it
95 -detects an off-line modified file) will hit the main tree with Linux
96 -3.7.
97 +IMA is supported in the main tree since 2.6.30, and IMA appraisal (needed when
98 +you want the system to stop if it detects an off-line modified file) is merged
99 +in the main tree since 3.7.
100 </p>
101
102 <pre caption="Linux kernel configuration for IMA">
103 @@ -104,7 +133,7 @@
104 CONFIG_IMA_AUDIT=y
105 CONFIG_IMA_LSM_RULES=y
106
107 -<comment># Only if the IMA appraisal patch is available:</comment>
108 +<comment># Since 3.7:</comment>
109 CONFIG_INTEGRITY_SIGNATURE=y
110 CONFIG_IMA_APPRAISE=y
111 </pre>
112 @@ -122,7 +151,7 @@
113 <pre caption="Bootloader configuration to enable IMA TCB policy">
114 kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb</i>
115
116 -<comment># Only if IMA appraisal patch is enabled:</comment>
117 +<comment># Only if IMA appraisal is wanted:</comment>
118 kernel /boot/vmlinuz root=/dev/vda1 <i>ima_tcb ima_appraise=enforce ima_appraise_tcb</i>
119 </pre>
120
121 @@ -240,7 +269,7 @@
122 <body>
123
124 <note>
125 -This is only applicable when IMA appraisal patch is enabled.
126 +This is only applicable when IMA appraisal is enabled.
127 </note>
128
129 <p>
130 @@ -251,13 +280,21 @@
131 <p>
132 Next, have all files on the file system checked and their value stored as an
133 extended attribute. This is done by reading all files that the default appraisal
134 -policy will check and take action on (which is all root-owned files).
135 +policy will check and take action on (which is all root-owned files). Note that
136 +this can take a long time...
137 </p>
138
139 <pre caption="Registering all files">
140 -~# <i>find / \( -fstype rootfs -o -fstype ext4 -a -type f \) -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
141 +~# <i>find / \( -fstype rootfs -o -fstype ext4 \) -type -uid 0 -exec head -n 1 '{}' > /dev/null \;</i>
142 </pre>
143
144 +<p>
145 +You might also need to bind-mount the root file system somewhere (like on
146 +<path>/mnt/gentoo</path>) and do the same for the <path>lib64/rc/init.d</path>
147 +location as well as other locations that contain files but become hidden once
148 +the system mounts another file system on top of it.
149 +</p>
150 +
151 <p>
152 When done, you should be able to see the registered hash value as an extended
153 attribute:
154 @@ -281,7 +318,8 @@
155 <p>
156 You can check if this works by booting with <c>ima_appraise=off</c> and changing
157 the contents of a root-owned file (or the value of the extended attribute) and
158 -reboot with <c>ima_appraise=enforce</c>.
159 +reboot with <c>ima_appraise=enforce</c>, or by directly editing virtual guest
160 +images.
161 </p>
162
163 </body>
164 @@ -302,9 +340,23 @@
165 <p>
166 To sign such immutable files (like kernel modules and application code), you
167 need to use the <c>evmctl</c> command provided by the
168 -<path>sys-admin/ima-evm-utils</path> package:
169 +<path>sys-admin/ima-evm-utils</path> package (currently only available in the
170 +hardened-dev overlay). But first, setup the kernel keyring:
171 </p>
172
173 +<pre caption="Loading the public key in the IMA keyring">
174 +~# <i>ima_id=`keyctl newring _ima @u`</i>
175 +~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i>
176 +</pre>
177 +
178 +<p>
179 +This allows the IMA subsystem to validate the signature (which is also needed
180 +when initially setting the signature) by loading the public key onto the IMA
181 +keyring. You will need to do this every time the system boots, so it makes
182 +sense to do so within an initramfs (early in the boot process):
183 +</p>
184 +
185 +
186 <pre caption="Signing files to mark them as immutable">
187 ~# <i>find /lib/modules -name "*.ko" -type f -uid 0 -exec \
188 evmctl sign --imasig '{}' /path/to/rsa_private.pem \;</i>
189 @@ -326,15 +378,101 @@
190 </pre>
191
192 <p>
193 -To allow the IMA subsystem to validate the signature, you will need to load the
194 -public key onto the IMA keyring. You will need to do this every time the system
195 -boots, so it makes sense to do so within an initramfs (early in the boot
196 -process):
197 +Immutable file support is mainly used to digitally sign the Linux kernel and the
198 +kernel modules and is supported through the EVM technology (which we will
199 +discuss in different documentation) but works well on ELF and other binaries as
200 +well.
201 </p>
202
203 -<pre caption="Loading the public key in the IMA keyring">
204 -~# <i>ima_id=`keyctl newring _ima @u`</i>
205 -~# <i>evmctl import /path/to/rsa_public.pem $ima_id</i>
206 +</body>
207 +</section>
208 +</chapter>
209 +
210 +<chapter>
211 +<title>Asked Questions with Answers</title>
212 +<section>
213 +<title>How do I know IMA with appraisal is working?</title>
214 +<body>
215 +
216 +<p>
217 +This is as simple as finding a file that does not have its hash value stored as
218 +an extended attribute while ima_appraise is in enforcing mode.
219 +</p>
220 +
221 +<pre caption="Checking if IMA with appraisal is working">
222 +# <i>getfattr -m . -d /etc/mtab</i>
223 +getfattr: Removing leading '/' from absolute path names
224 +# file: etc/mtab
225 +security.selinux="system_u:object_r:etc_runtime_t"
226 +
227 +# <i>cat /etc/mtab</i>
228 +cat: /etc/mtab: Permission denied
229 +
230 +# <i>dmesg | tail -1</i>
231 +[ 256.756465] type=1800 audit(1356637858.947:53): pid=3852 uid=0 auid=0 ses=2
232 +subj=root:sysadm_r:sysadm_t op="appraise_data" cause="missing-hash" comm="cat"
233 +name="/etc/mtab" dev="dm-2" ino=394144 res=0
234 +</pre>
235 +
236 +<p>
237 +In the above example, the IMA subsystem reports that the <path>/etc/mtab</path>
238 +file misses its hash value (which should be stored as <e>security.ima</e>) and
239 +as such is denying the <c>cat</c> application access to it.
240 +</p>
241 +
242 +<p>
243 +If you can miss the file (such as with <path>/etc/mtab</path>) you can remove it
244 +and regenerate it if you wish:
245 +</p>
246 +
247 +<pre caption="Regenerating file">
248 +# <i>rm /etc/mtab</i>
249 +# <i>cat /proc/mounts &gt; /etc/mtab</i>
250 +# <i>restorecon /etc/mtab</i> <comment># If using SELinux</comment>
251 +# <i>evmctl ima_hash /etc/mtab</i>
252 +# <i>getfattr -m . -d /etc/mtab</i>
253 +getfattr: Removing leading '/' from absolute path names
254 +# file: etc/mtab
255 +security.ima=0sAUlIU5ffoobWOh0FsSIbgh9Ac8YK
256 +security.selinux="root:object_r:etc_runtime_t"
257 +</pre>
258 +
259 +</body>
260 +</section>
261 +<section>
262 +<title>I was able to edit an 'immutable' file and still run it. How come?</title>
263 +<body>
264 +
265 +<p>
266 +If you digitally signed a script using <c>evmctl sign --imasig &lt;file&gt;
267 +&lt;private-key&gt;</c> and then edited the file with <c>vim</c>, then this
268 +behavior is to be expected. <c>vim</c> removes the original file and replaces it
269 +with a new one. The newly created file is given an appropriate hash (but no
270 +digital signature of course) and thus you can still execute it.
271 +</p>
272 +
273 +<p>
274 +The use of digital signatures is more for kernel modules and ELF binaries. But
275 +below an example of how it does work - if you edit the file rather than replace
276 +it.
277 +</p>
278 +
279 +<pre caption="Example of digitally signed file">
280 +# <i>evmctl sign --imasig ./test.sh /root/rsa_private.pem</i>
281 +# <i>./test.sh</i>
282 +Hello World (again)
283 +# echo "echo \"And now...\"" >> test.sh
284 +# <i>./test.sh</i>
285 +bash: ./test.sh: Permission denied
286 +# <i>cat test.sh</i>
287 +cat: test.sh: Permission denied
288 +# <i>dmesg | tail -2</i>
289 +[ 643.211490] type=1800 audit(1356639603.315:37): pid=3956 uid=0 auid=0 ses=3
290 +subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature"
291 +comm="bash" name="/bin/test.sh" dev="dm-2" ino=131466 res=0
292 +[ 649.123917] type=1800 audit(1356639609.227:38): pid=3958 uid=0 auid=0 ses=3
293 +subj=root:sysadm_r:sysadm_t op="appraise_data" cause="invalid-signature"
294 +comm="cat" name="/bin/test.sh" dev="dm-2" ino=131466 res=0
295 </pre>
296
297 </body>
Report Message
Find on MARC Find on Google Groups