Thanks First problem solved:
/if [ "${EBUILD_PHASE}" == "postinst" ];//
//then//
// for plik in `qlist ${PF}`; do//
// /usr/local/sbin/evmsign.sh $plik 2>/dev/null;//
// done;//
// echo "Zainstalowane ${PF} ;)";//
//
//fi/
And script evmsing.sh:
/#!/bin/bash//
//
//
//PLIK="$1";//
//
//# echo "Plik nazywa się $PLIK";//
//
//function evmsign {//
// echo "Podpisuję (imasign) $PLIK";//
// evmctl sign --imasig $PLIK /etc/keys/rsa_private.pem;//
//}//
//function evmhash {//
// echo "Robię hash dla $PLIK ";//
// evmctl sign --imahash $PLIK /etc/keys/rsa_private.pem;//
//}//
//
//file $PLIK | grep 'ELF' &> /dev/null && evmsign || evmhash/
This is not Idel perfect solution, but it works fine :-)
Second problem - in progress:
rootfs mount with i_version flags, /var/log, /var/portage, /home ....
on other partitions, without i_version mount option?
whether it will work?
SELinux? I tried several times, but I always have quite a few errors,
while grsec RBAC and configuration in / etc / grsec / policy does not
cause any troubles.
I wonder if I'll find something here interesting:
http://forums.grsecurity.net/viewtopic.php?f=1&t=3535
Thank You
W dniu 10.06.2013 20:45, Sven Vermeulen pisze:
> On Sat, Jun 08, 2013 at 10:07:17AM +0200, Jacek wrote:
>> My system:
>> Gentoo Hardened - grsec & pax:
>> /Linux version 3.9.4-grie5 (root@localhost) (gcc version 4.6.3 (Gentoo
>> Hardened 4.6.3 p1.5, pie-0.5.2) ) #6 SMP PREEMPT Fri Jun 7 19:05:38 CEST
>> 2013/
>>
>> I have a few questions about Integrity check using IMA / EVM, as
>> described in this article:
>> http://www.gentoo.org/proj/en/hardened/integrity/
>>
>>
>> How to automatically sign installed by Portage packages for the IMA and EVM?
> There's no automated signing documented anywhere yet. You should be able to
> automate it through the hooks Portage provides - you can run the evmctl
> commands as part of the postinst phase.
>
> See
> http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?part=3&chap=6#doc_chap3
> for how to interact with the hooks.
>
> I didn't document it, because any automation I currently considered left the
> key and/or its passphraze open (for a while - during the build processes).
> As signing isn't mandatory (without signing, the standard checksums are
> used) you can always sign afterwards (for instance after disconnecting the
> system etc.)
>
>> Is it possible to run the added convenience Portage, acting similarly to
>> currently applying SELinux tags?
> What do you mean with the added convenience Portage?
>
> Unlike SELinux, IMA/EVM has no notion of labels. It either fills up the
> attributes with the checksums (and some other metadata) through the kernel
> (nothing we need to do), or with a digital signature (when you call evmctl).
>
>> Is there a tool similar to rlpkg package policycoreutils to sign files
>> for EVM / IMA?
> No, not yet. The problem is that signing the files (to make them immutable)
> requires that you know which files are not meant to be writeable in the
> first place. We can apply some "common sense" to it, but it isn't
> error-proof (unlike the SELinux contexts, which are perfectly defined in the
> policy).
>
> But you can easily build something that checks the files provided by qfile,
> and if the file is an ELF binary, sign it. You still need to pass the
> signing key and password to it though.
>
>> Is it possible to use EVM is installed in accordance with this guide:
>> http://www.gentoo.org/proj/en/hardened/integrity/docs/evm-guide.xml
>> without SELinux?
> You can use SELinux, but you cannot use the custom policy then. Without
> custom policy, things should work - it just checks integrity/recalculates
> integrity after changes for files that are less of a concern to follow
> (performance).
>
>> As in this case (without SELinux) to the EVM/IMA policy integrity check
>> that did not include such locations as
>> //////usr///// share//
>> /// var///// log//
>> // /// tmp//
>> ///////var//
>> // ///////usr /////portage//
>> // /// media
>> //////Where /
>> // var, /tmp and / usr is on rootfs?
> Without SELinux context information, it does the integrity checks for all
> files.
>
> Wkr,
> Sven Vermeulen
>
>
signature.asc
Description: OpenPGP digital signature
