Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* Whitelisting with IMA
@ 2019-05-12  9:37 m3hm00d
  2019-05-13  9:09 ` Roberto Sassu
  0 siblings, 1 reply; 3+ messages in thread
From: m3hm00d @ 2019-05-12  9:37 UTC (permalink / raw)
  To: linux-integrity

tldr: Is there some way to ask IMA not to open (execute) unknown binaries

Hi all,

I saw some comments on RFC for WhiteEgret LSM. Someone on the same
thread said that IMA could be used for whitelisting as well. Based on
a couple of hours with IMA, it seems to me that IMA can only stop
execution of (altered) binaries whose hash/sign was earlier measured.

If a user installs a new (unknown) application, it seems like IMA is
going to allow that application to run since IMA can't find any
integrity loss since IMA doesn't have any 'good' value against the new
application. Is this correct? Or is there some other option to ask IMA
not to execute any unknown binary?

Kind regards,
m3hm00d

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Whitelisting with IMA
  2019-05-12  9:37 Whitelisting with IMA m3hm00d
@ 2019-05-13  9:09 ` Roberto Sassu
  2019-05-14 17:27   ` m3hm00d
  0 siblings, 1 reply; 3+ messages in thread
From: Roberto Sassu @ 2019-05-13  9:09 UTC (permalink / raw)
  To: m3hm00d, linux-integrity

On 5/12/2019 11:37 AM, m3hm00d wrote:
> tldr: Is there some way to ask IMA not to open (execute) unknown binaries
> 
> Hi all,
> 
> I saw some comments on RFC for WhiteEgret LSM. Someone on the same
> thread said that IMA could be used for whitelisting as well. Based on
> a couple of hours with IMA, it seems to me that IMA can only stop
> execution of (altered) binaries whose hash/sign was earlier measured.

Hi

I'm developing an extension (IMA Digest Lists) to allow access to files
depending on a white list (for example digests in RPM headers). I will
publish a new version soon. For the concept, please have a look at:

https://github.com/euleros/linux/wiki/IMA-Digest-Lists-Extension
https://github.com/euleros/digest-list-tools/wiki/Architecture


> If a user installs a new (unknown) application, it seems like IMA is
> going to allow that application to run since IMA can't find any
> integrity loss since IMA doesn't have any 'good' value against the new
> application. Is this correct? Or is there some other option to ask IMA
> not to execute any unknown binary?

If appraisal is enabled, and the application has no signature/HMAC,
access would be denied. If the application is installed by a package
manager, probably files will have a HMAC and access would be granted
unless the IMA policy requires signatures.

Roberto


> Kind regards,
> m3hm00d
> 

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Whitelisting with IMA
  2019-05-13  9:09 ` Roberto Sassu
@ 2019-05-14 17:27   ` m3hm00d
  0 siblings, 0 replies; 3+ messages in thread
From: m3hm00d @ 2019-05-14 17:27 UTC (permalink / raw)
  To: Roberto Sassu; +Cc: linux-integrity

On Mon, May 13, 2019 at 9:09 AM Roberto Sassu <roberto.sassu@huawei.com> wrote:
>
> On 5/12/2019 11:37 AM, m3hm00d wrote:
> > tldr: Is there some way to ask IMA not to open (execute) unknown binaries
> >
> > Hi all,
> >
> > I saw some comments on RFC for WhiteEgret LSM. Someone on the same
> > thread said that IMA could be used for whitelisting as well. Based on
> > a couple of hours with IMA, it seems to me that IMA can only stop
> > execution of (altered) binaries whose hash/sign was earlier measured.
>
> Hi
>
> I'm developing an extension (IMA Digest Lists) to allow access to files
> depending on a white list (for example digests in RPM headers). I will
> publish a new version soon. For the concept, please have a look at:
>
> https://github.com/euleros/linux/wiki/IMA-Digest-Lists-Extension
> https://github.com/euleros/digest-list-tools/wiki/Architecture
>

Hi there,

Interesting idea. Will definitely look it over.

> > If a user installs a new (unknown) application, it seems like IMA is
> > going to allow that application to run since IMA can't find any
> > integrity loss since IMA doesn't have any 'good' value against the new
> > application. Is this correct? Or is there some other option to ask IMA
> > not to execute any unknown binary?
>
> If appraisal is enabled, and the application has no signature/HMAC,
> access would be denied. If the application is installed by a package
> manager, probably files will have a HMAC and access would be granted
> unless the IMA policy requires signatures.
>

Turns out I was passing `ima_policy=tcb` to kernel. That's (probably)
why no appraisal was happening and even new (unknown) scripts kept
running. After some reading, I changed it to `ima_policy=appraise_tcb`
but the system won't allow me to login now (error saying 'Incorrect
login' or something like that). The best sources of info on IMA for me
were gentoo wiki and project page on soureforge. Could you please
guide me to a more thorough documentation meant for
users/administrators and other people wanting to learn more about
IMA/EVM?


> Roberto

Kind regards,
m3hm00d

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-12  9:37 Whitelisting with IMA m3hm00d
2019-05-13  9:09 ` Roberto Sassu
2019-05-14 17:27   ` m3hm00d

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox