Re: Repository of audit events
On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote:
Hi Mimi,
On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > Missing INTEGRITY_RULE
> >
> > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
For those of us not really up on IMA and just want to generate the event to
add to our collection, any tips on doing this?
Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA
policy* containing an audit rule (eg. audit func=BPRM_CHECK
mask=MAY_EXEC).
*Directions below for loading a policy.
> > Missing INTEGRITY_DATA
>
> Failure to collect or appraise file data.
> (Requires the filesystem to be labeled w/security.ima and integrity
> appraisal enabled.)
How would I cause this event to be generated if I wanted to see it?
Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and
loading an IMA policy containing a measurement/appraisal rule (eg.
measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0,
audit func=BPRM_CHECK mask=MAY_EXEC). Both the boot command line
options 'ima_tcb' and 'ima_appraise_tcb' have these rules. Unlabeled
filesystems would require the additional boot command line option
'ima_appraise=fix'.
> > Missing INTEGRITY_HASH
>
> Not used.
OK, I'll mark that deprecated.
> > Missing INTEGRITY_METADATA
>
> Before updating/removing 'security.evm' the xattr or modifying file
> metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> i_mode, FSUUID, i_generation), EVM verifies the existing value.
> (Requires the filesystem to be labeled w/security.evm and integrity
> appraisal enabled.)
How to get it?
In addition to the IMA/IMA-appraisal config options, requires
CONFIG_EVM=y. Assuming you've created an EVM key and loaded it, EVM is
enabled. (dracut has an EVM module.) Unlabeled filesystems would
require the additional boot command line option 'ima_evm=fix'.
> > Missing INTEGRITY_STATUS
>
> Errors related to the IMA policy.
How to get it?
Directions for loading a policy: to load a policy or replace the boot
command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy
to /sys/kernel/security/ima/config. The IMA LTP testsuite has examples.
Mimi