| 1 |
Thanks |
| 2 |
|
| 3 |
First problem solved: |
| 4 |
|
| 5 |
/if [ "${EBUILD_PHASE}" == "postinst" ];// |
| 6 |
//then// |
| 7 |
// for plik in `qlist ${PF}`; do// |
| 8 |
// /usr/local/sbin/evmsign.sh $plik 2>/dev/null;// |
| 9 |
// done;// |
| 10 |
// echo "Zainstalowane ${PF} ;)";// |
| 11 |
// |
| 12 |
//fi/ |
| 13 |
|
| 14 |
And script evmsing.sh: |
| 15 |
|
| 16 |
/#!/bin/bash// |
| 17 |
// |
| 18 |
// |
| 19 |
//PLIK="$1";// |
| 20 |
// |
| 21 |
//# echo "Plik nazywa się $PLIK";// |
| 22 |
// |
| 23 |
//function evmsign {// |
| 24 |
// echo "Podpisuję (imasign) $PLIK";// |
| 25 |
// evmctl sign --imasig $PLIK /etc/keys/rsa_private.pem;// |
| 26 |
//}// |
| 27 |
//function evmhash {// |
| 28 |
// echo "Robię hash dla $PLIK ";// |
| 29 |
// evmctl sign --imahash $PLIK /etc/keys/rsa_private.pem;// |
| 30 |
//}// |
| 31 |
// |
| 32 |
//file $PLIK | grep 'ELF' &> /dev/null && evmsign || evmhash/ |
| 33 |
|
| 34 |
This is not Idel perfect solution, but it works fine :-) |
| 35 |
|
| 36 |
Second problem - in progress: |
| 37 |
rootfs mount with i_version flags, /var/log, /var/portage, /home .... |
| 38 |
on other partitions, without i_version mount option? |
| 39 |
whether it will work? |
| 40 |
|
| 41 |
SELinux? I tried several times, but I always have quite a few errors, |
| 42 |
while grsec RBAC and configuration in / etc / grsec / policy does not |
| 43 |
cause any troubles. |
| 44 |
|
| 45 |
I wonder if I'll find something here interesting: |
| 46 |
http://forums.grsecurity.net/viewtopic.php?f=1&t=3535 |
| 47 |
|
| 48 |
Thank You |
| 49 |
|
| 50 |
W dniu 10.06.2013 20:45, Sven Vermeulen pisze: |
| 51 |
> On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote: |
| 52 |
>> My system: |
| 53 |
>> Gentoo Hardened - grsec & pax: |
| 54 |
>> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo |
| 55 |
>> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST |
| 56 |
>> 2013/ |
| 57 |
>> |
| 58 |
>> I have a few questions about Integrity check using IMA / EVM, as |
| 59 |
>> described in this article: |
| 60 |
>> http://www.gentoo.org/proj/en/hardened/integrity/ |
| 61 |
>> |
| 62 |
>> |
| 63 |
>> How to automatically sign installed by Portage packages for the IMA and EVM? |
| 64 |
> There's no automated signing documented anywhere yet. You should be able to |
| 65 |
> automate it through the hooks Portage provides - you can run the evmctl |
| 66 |
> commands as part of the postinst phase. |
| 67 |
> |
| 68 |
> See |
| 69 |
> http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3 |
| 70 |
> for how to interact with the hooks. |
| 71 |
> |
| 72 |
> I didn't document it, because any automation I currently considered left the |
| 73 |
> key and/or its passphraze open (for a while - during the build processes). |
| 74 |
> As signing isn't mandatory (without signing, the standard checksums are |
| 75 |
> used) you can always sign afterwards (for instance after disconnecting the |
| 76 |
> system etc.) |
| 77 |
> |
| 78 |
>> Is it possible to run the added convenience Portage, acting similarly to |
| 79 |
>> currently applying SELinux tags? |
| 80 |
> What do you mean with the added convenience Portage? |
| 81 |
> |
| 82 |
> Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the |
| 83 |
> attributes with the checksums (and some other metadata) through the kernel |
| 84 |
> (nothing we need to do), or with a digital signature (when you call evmctl). |
| 85 |
> |
| 86 |
>> Is there a tool similar to rlpkg package policycoreutils to sign files |
| 87 |
>> for EVM / IMA? |
| 88 |
> No, not yet. The problem is that signing the files (to make them immutable) |
| 89 |
> requires that you know which files are not meant to be writeable in the |
| 90 |
> first place. We can apply some "common sense" to it, but it isn't |
| 91 |
> error-proof (unlike the SELinux contexts, which are perfectly defined in the |
| 92 |
> policy). |
| 93 |
> |
| 94 |
> But you can easily build something that checks the files provided by qfile, |
| 95 |
> and if the file is an ELF binary, sign it. You still need to pass the |
| 96 |
> signing key and password to it though. |
| 97 |
> |
| 98 |
>> Is it possible to use EVM is installed in accordance with this guide: |
| 99 |
>> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml |
| 100 |
>> without SELinux? |
| 101 |
> You can use SELinux, but you cannot use the custom policy then. Without |
| 102 |
> custom policy, things should work - it just checks integrity/recalculates |
| 103 |
> integrity after changes for files that are less of a concern to follow |
| 104 |
> (performance). |
| 105 |
> |
| 106 |
>> As in this case (without SELinux) to the EVM/IMA policy integrity check |
| 107 |
>> that did not include such locations as |
| 108 |
>> //////usr///// share// |
| 109 |
>> /// var///// log// |
| 110 |
>> // /// tmp// |
| 111 |
>> ///////var// |
| 112 |
>> // ///////usr /////portage// |
| 113 |
>> // /// media |
| 114 |
>> //////Where / |
| 115 |
>> // var, /tmp and / usr is on rootfs? |
| 116 |
> Without SELinux context information, it does the integrity checks for all |
| 117 |
> files. |
| 118 |
> |
| 119 |
> Wkr, |
| 120 |
> Sven Vermeulen |
| 121 |
> |
| 122 |
> |
Archives