Grsec & IMA/EVM Integrity - possible?
Posted: Tue Jun 11, 2013 1:13 pm
HI
Is it possible to integrate Grsecurity ACL and Integrity system IMA / EVM, so that it was possible to using the / etc / grsec / policy, or another file how to configure Grsec enforces the file integrity check mechanism IMA, as currently is the case in SELinux?
Without SELinux IMA / EVM appropriate to establish all of the files on the disk, which is difficult and pointless, completely sufficient to check ELF files, and scripts in the PATH, libraries and configuration files, or only files owned by root, with the exception of logs.
In my opinion running SELinux only for integrity is pretty pointless, if a security policy corresponding to Grsec / RBAC.
Or will the development plans Grsec / Pax any RBAC integration with Integrity?
Because as far I can see, the mechanism of the EVM can be integrated with all security modules, which are in the kernel,
except Grsecurity, with no mechanism for kernel does not warrant such a precise and accurate and effective protection as Grsecurity / Pax.
Dmesg says:
In addition Grsecurity policy can be easily configured, while the SELinux policies for most Linux systems there are so many errors, and the configuration is so complicated that sometimes use SELinux becomes meaningless.
Just using IMA / EVM and signing files is not very difficult:
Links:
http://www.gentoo.org/proj/en/hardened/integrity/
http://sourceforge.net/apps/mediawiki/l ... =Main_Page
PS
Sorry for my English, my native language is Polish.
Cheers
Is it possible to integrate Grsecurity ACL and Integrity system IMA / EVM, so that it was possible to using the / etc / grsec / policy, or another file how to configure Grsec enforces the file integrity check mechanism IMA, as currently is the case in SELinux?
Without SELinux IMA / EVM appropriate to establish all of the files on the disk, which is difficult and pointless, completely sufficient to check ELF files, and scripts in the PATH, libraries and configuration files, or only files owned by root, with the exception of logs.
In my opinion running SELinux only for integrity is pretty pointless, if a security policy corresponding to Grsec / RBAC.
Or will the development plans Grsec / Pax any RBAC integration with Integrity?
Because as far I can see, the mechanism of the EVM can be integrated with all security modules, which are in the kernel,
except Grsecurity, with no mechanism for kernel does not warrant such a precise and accurate and effective protection as Grsecurity / Pax.
Dmesg says:
- Code: Select all
[0.052405] EVM: security.selinux
[0.052407] EVM: security.SMACK64
[0.052409] EVM: security.ima
[0.052410] EVM: security.capability
In addition Grsecurity policy can be easily configured, while the SELinux policies for most Linux systems there are so many errors, and the configuration is so complicated that sometimes use SELinux becomes meaningless.
Just using IMA / EVM and signing files is not very difficult:
- Code: Select all
root ~> getfattr -m . -d /usr/bin/sudo
getfattr: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: usr/bin/sudo
security.evm=0sAwF2sLJRAAD2lcZHXyk/rgEEABkwMQm53ned6GniUDz6JJrAyqSVso+9zel+ej4BuOGpTW3KRaPQtc1/mVY5hT1LTmCXwfC9W1zJIUwY3yRuqi4h4O2ZB6Cwf3kDn2zeQ+sVR4b7rvbOiaLbDjOGJ8MiMkRBJZTYTp7+yoLVXBYBON0JQViBtsYUfR6hK1Yfe7Ub
security.ima=0sAwF2sLJRAAD2lcZHXyk/rgEEAB9hc2Q6O29BDo0RQUCrvTWUGx2xdCdY3tkAr2AcIvVXiPH4GB6wnKE3X7wHPCKX+GCkBYLuefjkogGH2MZLoHPtE9YR8Qmt40O3nEdf1ZgSoJtAQcovJxae4LzL0/XhRcKYOh08vTFuwKInkQsOnYYFXCPkBaiwx9fZH4mi84r9
security.selinux="system_u:object_r:sudo_exec_t"
user.pax.flags="MPERS"
Links:
http://www.gentoo.org/proj/en/hardened/integrity/
http://sourceforge.net/apps/mediawiki/l ... =Main_Page
PS
Sorry for my English, my native language is Polish.
Cheers