copumpkin commented 8 years ago

This could potentially give us better (and more trustworthy) introspection into changes in our systems.

Documentation is here: http://sourceforge.net/p/linux-ima/wiki/Home/

copumpkin commented 8 years ago

cc @ts468, who surprised me by having already packaged ima-evm-utils when I started adding it myself.

ts468 commented 8 years ago

@copumpkin, just to let you know, I've also got a half-way finished nixos module for it...

copumpkin commented 8 years ago

@ts468 that's awesome! Is the WIP up somewhere I can see it? Are you aiming for a particular feature or are you just modeling the whole feature set of IMA/EVM?

ts468 commented 8 years ago

@copumpkin My aim was to model the whole feature set of IMA/EVM. Unfortunately, I couldn't finish it back then, but here is what I currently have: https://github.com/ts468/nixpkgs/blob/upstream.ima/nixos/modules/system/boot/ima.nix

If I remember correctly, then we would also need some extensions for the nix store to save extended file attributes.

And, there is also TrustedGRUB in NixOS, in case you've got a TPM.

copumpkin commented 8 years ago

@ts468 that looks great, thanks! Do you happen to recall what's missing, if I wanted to pick it up and try to continue working on it? The biggest thing that stands out at first glance is that I don't think it turns on the kernel IMA config flag, right? Would you expect people to enable that manually when setting their machine configuration?

Also, the TrustedGRUB thing is appealing too, but this is more directly useful to me right now.

ts468 commented 8 years ago

@copumpkin Unfortunately, I can't tell you right away what was missing. I probably would have to work through the documentation again as well. But I think if you would look at the documentation of the ima-evm-utils, then you'll quickly see where I derived the module from. Also, there seems to be a good documentation for IMA/EVM in a Gentoo wiki, if I recall correctly---at least it was helpful to me ;).

About the kernel IMA flags, they would have to be enabled through of the appropriate module options. I don't know how many of them could be absorbed in the default kernel configuration to maybe avoid the custom kernel compilation. The list of flags that I was playing with back then is below.

Hope that helps ;). What's your current plan? What are you trying to achieve?

INTEGRITY y INTEGRITY_SIGNATURE y INTEGRITY_ASYMMETRIC_KEYS y IMA y IMA_MEASURE_PCR_IDX 10 IMA_LSM_RULES y IMA_NG_TEMPLATE y IMA_DEFAULT_TEMPLATE "ima-ng" IMA_DEFAULT_HASH_SHA256 y IMA_DEFAULT_HASH "sha256" IMA_APPRAISE y EVM y EVM_ATTR_FSUUID y

KEYS y PERSISTENT_KEYRINGS y BIG_KEYS y TRUSTED_KEYS y ENCRYPTED_KEYS y

TCG_TIS y TCG_TPM y INTEL_TXT y

X509_CERTIFICATE_PARSER y

IMA_APPRAISE_ROOTFS y

IMA_APPRAISE_SIGNED_INIT y

IMA_TRUSTED_KEYRING y

IMA_LOAD_X509 y

IMA_X509_PATH "/etc/keys/x509_ima.der"

copumpkin commented 8 years ago

That's all helpful, thank you! I've also been soaking up the Gentoo Hardened wiki for all this stuff :smile:

My goal is basically to improve the picture for "hardened NixOS". The giant ticket #7220 proposes some measures (which I'll probably help with too), and has lots of attention, but I'm also very interested in auditability beyond straight hardening, and that's where this comes in.

ts468 commented 8 years ago

@copumpkin It would be great to see the auditability support to improve in NixOS! I'm excited to see how it goes! :)

copumpkin commented 8 years ago

I just added a simple module for controlling the linux audit system last night, if you're into that sort of thing! https://github.com/NixOS/nixpkgs/commit/63bfe20b7253fa579ca1c35d07d1d790475f74c5

But yeah, will keep you posted on progress on this front, and will likely tinker with your existing module!