1 |
Thanks |
2 |
|
3 |
First problem solved: |
4 |
|
5 |
/if [ "${EBUILD_PHASE}" == "postinst" ];// |
6 |
//then// |
7 |
// for plik in `qlist ${PF}`; do// |
8 |
// /usr/local/sbin/evmsign.sh $plik 2>/dev/null;// |
9 |
// done;// |
10 |
// echo "Zainstalowane ${PF} ;)";// |
11 |
// |
12 |
//fi/ |
13 |
|
14 |
And script evmsing.sh: |
15 |
|
16 |
/#!/bin/bash// |
17 |
// |
18 |
// |
19 |
//PLIK="$1";// |
20 |
// |
21 |
//# echo "Plik nazywa się $PLIK";// |
22 |
// |
23 |
//function evmsign {// |
24 |
// echo "Podpisuję (imasign) $PLIK";// |
25 |
// evmctl sign --imasig $PLIK /etc/keys/rsa_private.pem;// |
26 |
//}// |
27 |
//function evmhash {// |
28 |
// echo "Robię hash dla $PLIK ";// |
29 |
// evmctl sign --imahash $PLIK /etc/keys/rsa_private.pem;// |
30 |
//}// |
31 |
// |
32 |
//file $PLIK | grep 'ELF' &> /dev/null && evmsign || evmhash/ |
33 |
|
34 |
This is not Idel perfect solution, but it works fine :-) |
35 |
|
36 |
Second problem - in progress: |
37 |
rootfs mount with i_version flags, /var/log, /var/portage, /home .... |
38 |
on other partitions, without i_version mount option? |
39 |
whether it will work? |
40 |
|
41 |
SELinux? I tried several times, but I always have quite a few errors, |
42 |
while grsec RBAC and configuration in / etc / grsec / policy does not |
43 |
cause any troubles. |
44 |
|
45 |
I wonder if I'll find something here interesting: |
46 |
http://forums.grsecurity.net/viewtopic.php?f=1&t=3535 |
47 |
|
48 |
Thank You |
49 |
|
50 |
W dniu 10.06.2013 20:45, Sven Vermeulen pisze: |
51 |
> On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote: |
52 |
>> My system: |
53 |
>> Gentoo Hardened - grsec & pax: |
54 |
>> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo |
55 |
>> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST |
56 |
>> 2013/ |
57 |
>> |
58 |
>> I have a few questions about Integrity check using IMA / EVM, as |
59 |
>> described in this article: |
60 |
>> http://www.gentoo.org/proj/en/hardened/integrity/ |
61 |
>> |
62 |
>> |
63 |
>> How to automatically sign installed by Portage packages for the IMA and EVM? |
64 |
> There's no automated signing documented anywhere yet. You should be able to |
65 |
> automate it through the hooks Portage provides - you can run the evmctl |
66 |
> commands as part of the postinst phase. |
67 |
> |
68 |
> See |
69 |
> http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3 |
70 |
> for how to interact with the hooks. |
71 |
> |
72 |
> I didn't document it, because any automation I currently considered left the |
73 |
> key and/or its passphraze open (for a while - during the build processes). |
74 |
> As signing isn't mandatory (without signing, the standard checksums are |
75 |
> used) you can always sign afterwards (for instance after disconnecting the |
76 |
> system etc.) |
77 |
> |
78 |
>> Is it possible to run the added convenience Portage, acting similarly to |
79 |
>> currently applying SELinux tags? |
80 |
> What do you mean with the added convenience Portage? |
81 |
> |
82 |
> Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the |
83 |
> attributes with the checksums (and some other metadata) through the kernel |
84 |
> (nothing we need to do), or with a digital signature (when you call evmctl). |
85 |
> |
86 |
>> Is there a tool similar to rlpkg package policycoreutils to sign files |
87 |
>> for EVM / IMA? |
88 |
> No, not yet. The problem is that signing the files (to make them immutable) |
89 |
> requires that you know which files are not meant to be writeable in the |
90 |
> first place. We can apply some "common sense" to it, but it isn't |
91 |
> error-proof (unlike the SELinux contexts, which are perfectly defined in the |
92 |
> policy). |
93 |
> |
94 |
> But you can easily build something that checks the files provided by qfile, |
95 |
> and if the file is an ELF binary, sign it. You still need to pass the |
96 |
> signing key and password to it though. |
97 |
> |
98 |
>> Is it possible to use EVM is installed in accordance with this guide: |
99 |
>> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml |
100 |
>> without SELinux? |
101 |
> You can use SELinux, but you cannot use the custom policy then. Without |
102 |
> custom policy, things should work - it just checks integrity/recalculates |
103 |
> integrity after changes for files that are less of a concern to follow |
104 |
> (performance). |
105 |
> |
106 |
>> As in this case (without SELinux) to the EVM/IMA policy integrity check |
107 |
>> that did not include such locations as |
108 |
>> //////usr///// share// |
109 |
>> /// var///// log// |
110 |
>> // /// tmp// |
111 |
>> ///////var// |
112 |
>> // ///////usr /////portage// |
113 |
>> // /// media |
114 |
>> //////Where / |
115 |
>> // var, /tmp and / usr is on rootfs? |
116 |
> Without SELinux context information, it does the integrity checks for all |
117 |
> files. |
118 |
> |
119 |
> Wkr, |
120 |
> Sven Vermeulen |
121 |
> |
122 |
> |