diff --git a/README.md b/README.md index 347df52..a4a10a5 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/ References for IMA: - https://sourceforge.net/p/linux-ima/wiki/Home/ - https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture +- https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture/Recipes - https://wiki.strongswan.org/projects/strongswan/wiki/IMA Attention! The above Docs are written for different versions of IMA and the Linux Kernel. @@ -100,7 +101,7 @@ To enable IMA, the Kernel needs the corresponding parameters as follows: - `secure_boot` - appraises all loaded modules, firmware, kexec'd Kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the Kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim. - `ima_hash=` (used hash algorithm - `sha1` (default) - - `sha256` + - `sha256` (used) - `sha512` - ... - `ima_template=` @@ -116,5 +117,32 @@ To enable IMA, the Kernel needs the corresponding parameters as follows: - filedata_hash=sha1(filedata) - `rootflags=i_version` - files are only measured when they are updated on the file system. +### IMA file attributes The IMA log is a virtual file in `/sys/kernel/security/ima/ascii_runtime_measurements`. +All hashes in this file are backed as a hash chain in PCR 10. +As long as `ima_apprais=fix` is set, hashes of all accessed files are saved as extended file attribute. +To view all extended attributes of a file use: +``` +getfattr -m - -d /path/to/file +``` +IMA sets `security.ima` with the file hash + +### Set IMA to enforcing +1. For enforcing IMA, every file must be hashed. This can be done with (will take about an hour): +``` +time find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; #Gentoo recommendation +``` +2. In `/boot/kernel-command-line.txt` the Kernel parameter `ima_appraise=fix` can be set to `ima_appraise=enforce`. +3. Update the unified Kernel image with `update-kernel.sh` +4. Reboot + +## Syscall logging with auditd +auditd is able to log every single syscall of a process. +1. `autrace [-r] path/to/executable -with -args` +2. When the executable is finished, it returns a pid number +3. `ausearch -i -p > /path/to/auditlog` saves then the complete audit log to a file. +4. find all accessed files with +``` +grep -Eo "=/[[:graph:]/]*" /path/to/auditlog | grep -Eo "/[[:graph:]/]*" | sort | uniq > /path/to/fileaccesslog +``` \ No newline at end of file