Mailing List Archive

Hi

My system:
Gentoo Hardened - grsec & pax:
/Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo
Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST
2013/

I have a few questions about Integrity check using IMA / EVM, as
described in this article:
http://www.gentoo.org/proj/en/hardened/integrity/


How to automatically sign installed by Portage packages for the IMA and EVM?
Is it possible to run the added convenience Portage, acting similarly to
currently applying SELinux tags?
Is there a tool similar to rlpkg package policycoreutils to sign files
for EVM / IMA?

Is it possible to use EVM is installed in accordance with this guide:
http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml
without SELinux?
As in this case (without SELinux) to the EVM/IMA policy integrity check
that did not include such locations as
//////usr///// share//
/// var///// log//
// /// tmp//
///////var//
// ///////usr /////portage//
// /// media
//////Where /
// var, /tmp and / usr is on rootfs?

/Cheers
;)

On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote:
> My system:
> Gentoo Hardened - grsec & pax:
> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo
> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST
> 2013/
>
> I have a few questions about Integrity check using IMA / EVM, as
> described in this article:
> http://www.gentoo.org/proj/en/hardened/integrity/
>
>
> How to automatically sign installed by Portage packages for the IMA and EVM?

There's no automated signing documented anywhere yet. You should be able to
automate it through the hooks Portage provides - you can run the evmctl
commands as part of the postinst phase.

See
http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3
for how to interact with the hooks.

I didn't document it, because any automation I currently considered left the
key and/or its passphraze open (for a while - during the build processes).
As signing isn't mandatory (without signing, the standard checksums are
used) you can always sign afterwards (for instance after disconnecting the
system etc.)

> Is it possible to run the added convenience Portage, acting similarly to
> currently applying SELinux tags?

What do you mean with the added convenience Portage?

Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the
attributes with the checksums (and some other metadata) through the kernel
(nothing we need to do), or with a digital signature (when you call evmctl).

> Is there a tool similar to rlpkg package policycoreutils to sign files
> for EVM / IMA?

No, not yet. The problem is that signing the files (to make them immutable)
requires that you know which files are not meant to be writeable in the
first place. We can apply some "common sense" to it, but it isn't
error-proof (unlike the SELinux contexts, which are perfectly defined in the
policy).

But you can easily build something that checks the files provided by qfile,
and if the file is an ELF binary, sign it. You still need to pass the
signing key and password to it though.

> Is it possible to use EVM is installed in accordance with this guide:
> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml
> without SELinux?

You can use SELinux, but you cannot use the custom policy then. Without
custom policy, things should work - it just checks integrity/recalculates
integrity after changes for files that are less of a concern to follow
(performance).

> As in this case (without SELinux) to the EVM/IMA policy integrity check
> that did not include such locations as
> //////usr///// share//
> /// var///// log//
> // /// tmp//
> ///////var//
> // ///////usr /////portage//
> // /// media
> //////Where /
> // var, /tmp and / usr is on rootfs?

Without SELinux context information, it does the integrity checks for all
files.

Wkr,
Sven Vermeulen

Thanks

First problem solved:

/if [ "${EBUILD_PHASE}" == "postinst" ];//
//then//
// for plik in `qlist ${PF}`; do//
// /usr/local/sbin/evmsign.sh $plik 2>/dev/null;//
// done;//
// echo "Zainstalowane ${PF} ;)";//
//
//fi/

And script evmsing.sh:

/#!/bin/bash//
//
//
//PLIK="$1";//
//
//# echo "Plik nazywa siÄ™ $PLIK";//
//
//function evmsign {//
// echo "PodpisujÄ™ (imasign) $PLIK";//
// evmctl sign --imasig $PLIK /etc/keys/rsa_private.pem;//
//}//
//function evmhash {//
// echo "RobiÄ™ hash dla $PLIK ";//
// evmctl sign --imahash $PLIK /etc/keys/rsa_private.pem;//
//}//
//
//file $PLIK | grep 'ELF' &> /dev/null && evmsign || evmhash/

This is not Idel perfect solution, but it works fine :-)

Second problem - in progress:
rootfs mount with i_version flags, /var/log, /var/portage, /home ....
on other partitions, without i_version mount option?
whether it will work?

SELinux? I tried several times, but I always have quite a few errors,
while grsec RBAC and configuration in / etc / grsec / policy does not
cause any troubles.

I wonder if I'll find something here interesting:
http://forums.grsecurity.net/viewtopic.php?f=1&t=3535

Thank You

W dniu 10.06.2013 20:45, Sven Vermeulen pisze:
> On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote:
>> My system:
>> Gentoo Hardened - grsec & pax:
>> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo
>> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST
>> 2013/
>>
>> I have a few questions about Integrity check using IMA / EVM, as
>> described in this article:
>> http://www.gentoo.org/proj/en/hardened/integrity/
>>
>>
>> How to automatically sign installed by Portage packages for the IMA and EVM?
> There's no automated signing documented anywhere yet. You should be able to
> automate it through the hooks Portage provides - you can run the evmctl
> commands as part of the postinst phase.
>
> See
> http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3
> for how to interact with the hooks.
>
> I didn't document it, because any automation I currently considered left the
> key and/or its passphraze open (for a while - during the build processes).
> As signing isn't mandatory (without signing, the standard checksums are
> used) you can always sign afterwards (for instance after disconnecting the
> system etc.)
>
>> Is it possible to run the added convenience Portage, acting similarly to
>> currently applying SELinux tags?
> What do you mean with the added convenience Portage?
>
> Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the
> attributes with the checksums (and some other metadata) through the kernel
> (nothing we need to do), or with a digital signature (when you call evmctl).
>
>> Is there a tool similar to rlpkg package policycoreutils to sign files
>> for EVM / IMA?
> No, not yet. The problem is that signing the files (to make them immutable)
> requires that you know which files are not meant to be writeable in the
> first place. We can apply some "common sense" to it, but it isn't
> error-proof (unlike the SELinux contexts, which are perfectly defined in the
> policy).
>
> But you can easily build something that checks the files provided by qfile,
> and if the file is an ELF binary, sign it. You still need to pass the
> signing key and password to it though.
>
>> Is it possible to use EVM is installed in accordance with this guide:
>> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml
>> without SELinux?
> You can use SELinux, but you cannot use the custom policy then. Without
> custom policy, things should work - it just checks integrity/recalculates
> integrity after changes for files that are less of a concern to follow
> (performance).
>
>> As in this case (without SELinux) to the EVM/IMA policy integrity check
>> that did not include such locations as
>> //////usr///// share//
>> /// var///// log//
>> // /// tmp//
>> ///////var//
>> // ///////usr /////portage//
>> // /// media
>> //////Where /
>> // var, /tmp and / usr is on rootfs?
> Without SELinux context information, it does the integrity checks for all
> files.
>
> Wkr,
> Sven Vermeulen
>
>

On Jun 11, 2013 10:11 PM, "Jacek" <wampir98@gmail.com> wrote:
> Second problem - in progress:
> rootfs mount with i_version flags, /var/log, /var/portage, /home ....
> on other partitions, without i_version mount option?
> whether it will work?

You meed i_version mounts otherwise changes on files are not detected and
ima/evm wouldn't update their attributes iirc. That would lead to
inaccessible files then.

> SELinux? I tried several times, but I always have quite a few errors,
while grsec RBAC and configuration in / etc / grsec / policy does not cause
any troubles.

The problem is that these lack labelling support of any kind. Ima policy
cannot be tweaked based on paths, only on contexts (or filesystem types).

Wkr,
Sven