| 1 |
On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote: |
| 2 |
> My system: |
| 3 |
> Gentoo Hardened - grsec & pax: |
| 4 |
> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo |
| 5 |
> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST |
| 6 |
> 2013/ |
| 7 |
> |
| 8 |
> I have a few questions about Integrity check using IMA / EVM, as |
| 9 |
> described in this article: |
| 10 |
> http://www.gentoo.org/proj/en/hardened/integrity/ |
| 11 |
> |
| 12 |
> |
| 13 |
> How to automatically sign installed by Portage packages for the IMA and EVM? |
| 14 |
|
| 15 |
There's no automated signing documented anywhere yet. You should be able to |
| 16 |
automate it through the hooks Portage provides - you can run the evmctl |
| 17 |
commands as part of the postinst phase. |
| 18 |
|
| 19 |
See |
| 20 |
http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3 |
| 21 |
for how to interact with the hooks. |
| 22 |
|
| 23 |
I didn't document it, because any automation I currently considered left the |
| 24 |
key and/or its passphraze open (for a while - during the build processes). |
| 25 |
As signing isn't mandatory (without signing, the standard checksums are |
| 26 |
used) you can always sign afterwards (for instance after disconnecting the |
| 27 |
system etc.) |
| 28 |
|
| 29 |
> Is it possible to run the added convenience Portage, acting similarly to |
| 30 |
> currently applying SELinux tags? |
| 31 |
|
| 32 |
What do you mean with the added convenience Portage? |
| 33 |
|
| 34 |
Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the |
| 35 |
attributes with the checksums (and some other metadata) through the kernel |
| 36 |
(nothing we need to do), or with a digital signature (when you call evmctl). |
| 37 |
|
| 38 |
> Is there a tool similar to rlpkg package policycoreutils to sign files |
| 39 |
> for EVM / IMA? |
| 40 |
|
| 41 |
No, not yet. The problem is that signing the files (to make them immutable) |
| 42 |
requires that you know which files are not meant to be writeable in the |
| 43 |
first place. We can apply some "common sense" to it, but it isn't |
| 44 |
error-proof (unlike the SELinux contexts, which are perfectly defined in the |
| 45 |
policy). |
| 46 |
|
| 47 |
But you can easily build something that checks the files provided by qfile, |
| 48 |
and if the file is an ELF binary, sign it. You still need to pass the |
| 49 |
signing key and password to it though. |
| 50 |
|
| 51 |
> Is it possible to use EVM is installed in accordance with this guide: |
| 52 |
> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml |
| 53 |
> without SELinux? |
| 54 |
|
| 55 |
You can use SELinux, but you cannot use the custom policy then. Without |
| 56 |
custom policy, things should work - it just checks integrity/recalculates |
| 57 |
integrity after changes for files that are less of a concern to follow |
| 58 |
(performance). |
| 59 |
|
| 60 |
> As in this case (without SELinux) to the EVM/IMA policy integrity check |
| 61 |
> that did not include such locations as |
| 62 |
> //////usr///// share// |
| 63 |
> /// var///// log// |
| 64 |
> // /// tmp// |
| 65 |
> ///////var// |
| 66 |
> // ///////usr /////portage// |
| 67 |
> // /// media |
| 68 |
> //////Where / |
| 69 |
> // var, /tmp and / usr is on rootfs? |
| 70 |
|
| 71 |
Without SELinux context information, it does the integrity checks for all |
| 72 |
files. |
| 73 |
|
| 74 |
Wkr, |
| 75 |
Sven Vermeulen |
Archives