On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote: > My system: > Gentoo Hardened - grsec & pax: > /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo > Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST > 2013/ > > I have a few questions about Integrity check using IMA / EVM, as > described in this article: > http://www.gentoo.org/proj/en/hardened/integrity/ > > > How to automatically sign installed by Portage packages for the IMA and EVM?
There's no automated signing documented anywhere yet. You should be able to automate it through the hooks Portage provides - you can run the evmctl commands as part of the postinst phase. See http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3 for how to interact with the hooks. I didn't document it, because any automation I currently considered left the key and/or its passphraze open (for a while - during the build processes). As signing isn't mandatory (without signing, the standard checksums are used) you can always sign afterwards (for instance after disconnecting the system etc.) > Is it possible to run the added convenience Portage, acting similarly to > currently applying SELinux tags? What do you mean with the added convenience Portage? Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the attributes with the checksums (and some other metadata) through the kernel (nothing we need to do), or with a digital signature (when you call evmctl). > Is there a tool similar to rlpkg package policycoreutils to sign files > for EVM / IMA? No, not yet. The problem is that signing the files (to make them immutable) requires that you know which files are not meant to be writeable in the first place. We can apply some "common sense" to it, but it isn't error-proof (unlike the SELinux contexts, which are perfectly defined in the policy). But you can easily build something that checks the files provided by qfile, and if the file is an ELF binary, sign it. You still need to pass the signing key and password to it though. > Is it possible to use EVM is installed in accordance with this guide: > http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml > without SELinux? You can use SELinux, but you cannot use the custom policy then. Without custom policy, things should work - it just checks integrity/recalculates integrity after changes for files that are less of a concern to follow (performance). > As in this case (without SELinux) to the EVM/IMA policy integrity check > that did not include such locations as > //////usr///// share// > /// var///// log// > // /// tmp// > ///////var// > // ///////usr /////portage// > // /// media > //////Where / > // var, /tmp and / usr is on rootfs? Without SELinux context information, it does the integrity checks for all files. Wkr, Sven Vermeulen
