From: m3hm00d <f.m3hm00d@gmail.com>
To: Roberto Sassu <roberto.sassu@huawei.com>
Cc: linux-integrity@vger.kernel.org
Subject: Re: Whitelisting with IMA
Date: Tue, 14 May 2019 17:27:48 +0000 [thread overview]
Message-ID: <CAL8qis=yNGkogCVFZwNYCG-Y8ErPdQYf+Ffpbba4QOZNMBUn2Q@mail.gmail.com> (raw)
In-Reply-To: <c4adc9d7-9244-1cbe-693c-2f090851d804@huawei.com>
On Mon, May 13, 2019 at 9:09 AM Roberto Sassu <roberto.sassu@huawei.com> wrote:
>
> On 5/12/2019 11:37 AM, m3hm00d wrote:
> > tldr: Is there some way to ask IMA not to open (execute) unknown binaries
> >
> > Hi all,
> >
> > I saw some comments on RFC for WhiteEgret LSM. Someone on the same
> > thread said that IMA could be used for whitelisting as well. Based on
> > a couple of hours with IMA, it seems to me that IMA can only stop
> > execution of (altered) binaries whose hash/sign was earlier measured.
>
> Hi
>
> I'm developing an extension (IMA Digest Lists) to allow access to files
> depending on a white list (for example digests in RPM headers). I will
> publish a new version soon. For the concept, please have a look at:
>
> https://github.com/euleros/linux/wiki/IMA-Digest-Lists-Extension
> https://github.com/euleros/digest-list-tools/wiki/Architecture
>
Hi there,
Interesting idea. Will definitely look it over.
> > If a user installs a new (unknown) application, it seems like IMA is
> > going to allow that application to run since IMA can't find any
> > integrity loss since IMA doesn't have any 'good' value against the new
> > application. Is this correct? Or is there some other option to ask IMA
> > not to execute any unknown binary?
>
> If appraisal is enabled, and the application has no signature/HMAC,
> access would be denied. If the application is installed by a package
> manager, probably files will have a HMAC and access would be granted
> unless the IMA policy requires signatures.
>
Turns out I was passing `ima_policy=tcb` to kernel. That's (probably)
why no appraisal was happening and even new (unknown) scripts kept
running. After some reading, I changed it to `ima_policy=appraise_tcb`
but the system won't allow me to login now (error saying 'Incorrect
login' or something like that). The best sources of info on IMA for me
were gentoo wiki and project page on soureforge. Could you please
guide me to a more thorough documentation meant for
users/administrators and other people wanting to learn more about
IMA/EVM?
> Roberto
Kind regards,
m3hm00d
prev parent reply other threads:[~2019-05-14 17:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-12 9:37 Whitelisting with IMA m3hm00d
2019-05-13 9:09 ` Roberto Sassu
2019-05-14 17:27 ` m3hm00d [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAL8qis=yNGkogCVFZwNYCG-Y8ErPdQYf+Ffpbba4QOZNMBUn2Q@mail.gmail.com' \
--to=f.m3hm00d@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).