preisacm
/
masterthesis-trustedboot
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Add auditd logging and how to enforce IMA

master
Michael Preisach 5 years ago
parent
3e5417f038
commit
617fb3745f
1 changed files with 29 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 30
      README.md

30
README.md
View File

@ -82,6 +82,7 @@ rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/
References for IMA: References for IMA:
- https://sourceforge.net/p/linux-ima/wiki/Home/ - https://sourceforge.net/p/linux-ima/wiki/Home/
- https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture - https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
- https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture/Recipes
- https://wiki.strongswan.org/projects/strongswan/wiki/IMA - https://wiki.strongswan.org/projects/strongswan/wiki/IMA
Attention! The above Docs are written for different versions of IMA and the Linux Kernel. Attention! The above Docs are written for different versions of IMA and the Linux Kernel.
@ -100,7 +101,7 @@ To enable IMA, the Kernel needs the corresponding parameters as follows:
- `secure_boot` - appraises all loaded modules, firmware, kexec'd Kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the Kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim. - `secure_boot` - appraises all loaded modules, firmware, kexec'd Kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the Kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
- `ima_hash=` (used hash algorithm - `ima_hash=` (used hash algorithm
- `sha1` (default) - `sha1` (default)
- `sha256` - `sha256` (used)
- `sha512` - `sha512`
- ... - ...
- `ima_template=` - `ima_template=`
@ -116,5 +117,32 @@ To enable IMA, the Kernel needs the corresponding parameters as follows:
- filedata_hash=sha1(filedata) - filedata_hash=sha1(filedata)
- `rootflags=i_version` - files are only measured when they are updated on the file system. - `rootflags=i_version` - files are only measured when they are updated on the file system.
### IMA file attributes
The IMA log is a virtual file in `/sys/kernel/security/ima/ascii_runtime_measurements`. The IMA log is a virtual file in `/sys/kernel/security/ima/ascii_runtime_measurements`.
All hashes in this file are backed as a hash chain in PCR 10.
As long as `ima_apprais=fix` is set, hashes of all accessed files are saved as extended file attribute.
To view all extended attributes of a file use:
```
getfattr -m - -d /path/to/file
```
IMA sets `security.ima` with the file hash
### Set IMA to enforcing
1. For enforcing IMA, every file must be hashed. This can be done with (will take about an hour):
```
time find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; #Gentoo recommendation
```
2. In `/boot/kernel-command-line.txt` the Kernel parameter `ima_appraise=fix` can be set to `ima_appraise=enforce`.
3. Update the unified Kernel image with `update-kernel.sh`
4. Reboot
## Syscall logging with auditd
auditd is able to log every single syscall of a process.
1. `autrace [-r] path/to/executable -with -args`
2. When the executable is finished, it returns a pid number
3. `ausearch -i -p <pid> > /path/to/auditlog` saves then the complete audit log to a file.
4. find all accessed files with
```
grep -Eo "=/[[:graph:]/]*" /path/to/auditlog | grep -Eo "/[[:graph:]/]*" | sort | uniq > /path/to/fileaccesslog
```
Write Preview
Loading…
Cancel
Save