Attention! The above Docs are written for different versions of IMA and the Linux Kernel.
@ -100,7 +101,7 @@ To enable IMA, the Kernel needs the corresponding parameters as follows:
- `secure_boot` - appraises all loaded modules, firmware, kexec'd Kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the Kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
- `ima_hash=` (used hash algorithm
- `sha1` (default)
- `sha256`
- `sha256` (used)
- `sha512`
- ...
- `ima_template=`
@ -116,5 +117,32 @@ To enable IMA, the Kernel needs the corresponding parameters as follows:
- filedata_hash=sha1(filedata)
- `rootflags=i_version` - files are only measured when they are updated on the file system.
### IMA file attributes
The IMA log is a virtual file in `/sys/kernel/security/ima/ascii_runtime_measurements`.
All hashes in this file are backed as a hash chain in PCR 10.
As long as `ima_apprais=fix` is set, hashes of all accessed files are saved as extended file attribute.
To view all extended attributes of a file use:
```
getfattr -m - -d /path/to/file
```
IMA sets `security.ima` with the file hash
### Set IMA to enforcing
1. For enforcing IMA, every file must be hashed. This can be done with (will take about an hour):
```
time find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; #Gentoo recommendation
```
2. In `/boot/kernel-command-line.txt` the Kernel parameter `ima_appraise=fix` can be set to `ima_appraise=enforce`.
3. Update the unified Kernel image with `update-kernel.sh`
4. Reboot
## Syscall logging with auditd
auditd is able to log every single syscall of a process.
1. `autrace [-r] path/to/executable -with -args`
2. When the executable is finished, it returns a pid number
3. `ausearch -i -p <pid> > /path/to/auditlog` saves then the complete audit log to a file.
Michael Preisach
5 years ago