1 |
On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote: |
2 |
> My system: |
3 |
> Gentoo Hardened - grsec & pax: |
4 |
> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo |
5 |
> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST |
6 |
> 2013/ |
7 |
> |
8 |
> I have a few questions about Integrity check using IMA / EVM, as |
9 |
> described in this article: |
10 |
> http://www.gentoo.org/proj/en/hardened/integrity/ |
11 |
> |
12 |
> |
13 |
> How to automatically sign installed by Portage packages for the IMA and EVM? |
14 |
|
15 |
There's no automated signing documented anywhere yet. You should be able to |
16 |
automate it through the hooks Portage provides - you can run the evmctl |
17 |
commands as part of the postinst phase. |
18 |
|
19 |
See |
20 |
http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3 |
21 |
for how to interact with the hooks. |
22 |
|
23 |
I didn't document it, because any automation I currently considered left the |
24 |
key and/or its passphraze open (for a while - during the build processes). |
25 |
As signing isn't mandatory (without signing, the standard checksums are |
26 |
used) you can always sign afterwards (for instance after disconnecting the |
27 |
system etc.) |
28 |
|
29 |
> Is it possible to run the added convenience Portage, acting similarly to |
30 |
> currently applying SELinux tags? |
31 |
|
32 |
What do you mean with the added convenience Portage? |
33 |
|
34 |
Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the |
35 |
attributes with the checksums (and some other metadata) through the kernel |
36 |
(nothing we need to do), or with a digital signature (when you call evmctl). |
37 |
|
38 |
> Is there a tool similar to rlpkg package policycoreutils to sign files |
39 |
> for EVM / IMA? |
40 |
|
41 |
No, not yet. The problem is that signing the files (to make them immutable) |
42 |
requires that you know which files are not meant to be writeable in the |
43 |
first place. We can apply some "common sense" to it, but it isn't |
44 |
error-proof (unlike the SELinux contexts, which are perfectly defined in the |
45 |
policy). |
46 |
|
47 |
But you can easily build something that checks the files provided by qfile, |
48 |
and if the file is an ELF binary, sign it. You still need to pass the |
49 |
signing key and password to it though. |
50 |
|
51 |
> Is it possible to use EVM is installed in accordance with this guide: |
52 |
> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml |
53 |
> without SELinux? |
54 |
|
55 |
You can use SELinux, but you cannot use the custom policy then. Without |
56 |
custom policy, things should work - it just checks integrity/recalculates |
57 |
integrity after changes for files that are less of a concern to follow |
58 |
(performance). |
59 |
|
60 |
> As in this case (without SELinux) to the EVM/IMA policy integrity check |
61 |
> that did not include such locations as |
62 |
> //////usr///// share// |
63 |
> /// var///// log// |
64 |
> // /// tmp// |
65 |
> ///////var// |
66 |
> // ///////usr /////portage// |
67 |
> // /// media |
68 |
> //////Where / |
69 |
> // var, /tmp and / usr is on rootfs? |
70 |
|
71 |
Without SELinux context information, it does the integrity checks for all |
72 |
files. |
73 |
|
74 |
Wkr, |
75 |
Sven Vermeulen |