domingo, 25 de junio de 2017

IMA + IMA appraisal on CentOS 7.3 (Part 1)




A couple of weeks ago I gave a talk at SysArmyMX meetup about the use of IMA to detect and prevent the execution of unknown files. Except for this  this and this there is no place on the internet where you can find what is and how to configure IMA.

Especially there is no website where policies are used with real examples. As I promised at the end of the talk, I'll share with you the settings and policies that i showed in the demos.

I decided to write this post in English, first because I want to practice my bad grammar, secondly because I hope this helps someone else on the internet who probably is looking for examples of IMA


This is the first of two posts.


The tests were done in one VM with CentOS 7.3, with a linux kernel 4.11 (June 2017). These are my selections at kernel security options:



I enable the option to rewrite the policy only for this test and don't have to reboot the server everytime we change the policy.

After building and installing the new kernel, I modified fstab file to mount root partition with the iversion flag


/dev/mapper/cl-root     /                       ext4    noatime,iversion        1 2


Add the word "ima" in the  grub at the end of this line:

crashkernel=auto rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rhgb quiet ima

After one reboot we can now configure the policies. Remember in this first example we only going to use IMA (measure)

Create a file with the following content:

[root@webmexica ~]# cat politicas
measure func=FILE_MMAP mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC


With this 2 lines we are telling ima to "hashing" all the executables and libraries of the system

All executed files (bprm hook)
All mmapped libraries (mmap hook)


Now we load the policy:


[root@webmexica ~]# cat politicas >/sys/kernel/security/ima/policy


We can validate that it was loaded correctly by check dmesg logs


Jun 17 13:48:53 webmexica kernel: IMA: policy update completed


We can look at  /sys/kernel/security/ima/ascii_runtime_measurements  for realtime measurements logs:


[root@webmexica ~]# cat /sys/kernel/security/ima/ascii_runtime_measurements 
10 51c054e5502a21e9b68c6ea042b094cdbaad789b ima-ng sha1:543d1ffbbc5c2507b21611d5c1021a6fedc5c45a boot_aggregate
10 c19fbf497315c9334828b503cf1a083641babe25 ima-ng sha1:c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d /usr/bin/cat
10 3974c1e62b5dee0d276658dc4f4cadd556bc8760 ima-ng sha1:4c69859c62daec5e8e7978aa1f8334b6003edcd3 /usr/lib64/ld-2.17.so
10 ae8751b3ec20b322a6bbb87f32c9691432ceef83 ima-ng sha1:7dc7e09fa16451aaed5363fc5dedfd3ce5b1634a /usr/lib64/libc-2.17.so


ls binary execution:


[root@webmexica ~]# cat /sys/kernel/security/ima/ascii_runtime_measurements 
10 51c054e5502a21e9b68c6ea042b094cdbaad789b ima-ng sha1:543d1ffbbc5c2507b21611d5c1021a6fedc5c45a boot_aggregate
10 c19fbf497315c9334828b503cf1a083641babe25 ima-ng sha1:c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d /usr/bin/cat
10 3974c1e62b5dee0d276658dc4f4cadd556bc8760 ima-ng sha1:4c69859c62daec5e8e7978aa1f8334b6003edcd3 /usr/lib64/ld-2.17.so
10 ae8751b3ec20b322a6bbb87f32c9691432ceef83 ima-ng sha1:7dc7e09fa16451aaed5363fc5dedfd3ce5b1634a /usr/lib64/libc-2.17.so
10 b23e8af2a440dd3e4b78c3428f4e1a400f72574a ima-ng sha1:5ee3ada95c0b0f70765d9c07b5f769ff7a54f5b6 /usr/bin/ls
10 4289af40ded01a99e803579b4d0a6fbc67140e55 ima-ng sha1:79f50f805b118af664597a554d51219df6f1c461 /usr/lib64/libselinux.so.1
10 02112f11302cecbee34fa2425efa76856712339b ima-ng sha1:4f4228771ef954ec28b4bc9f91a0087b37c2ac4b /usr/lib64/libcap.so.2.22
10 2bec4a064a8c95677a0abd54c1efa6b3fb22c18e ima-ng sha1:bc5a3f54716c38af38538faf40f0c779c6c59d19 /usr/lib64/libacl.so.1.1.0
10 c511b44f72045cb62545f92a77f9d5915fff5b30 ima-ng sha1:91c7e62f3e16691e53c49f045fab4be2f9cfe4ce /usr/lib64/libpcre.so.1.2.0
10 409393a5a757759ba3ad8c503d551b7d5569f17d ima-ng sha1:d611ddd0729ea9422c4b9bdbb2fa8a63fba897e6 /usr/lib64/libdl-2.17.so
10 a11004963cf262b0405465e9d39a5ad531a638e2 ima-ng sha1:7c93acbdea5e704954d9c1e723c2aa6b3073810a /usr/lib64/libattr.so.1.1.0
10 abbc13ef2a738ac8df1c33f1baa5c233a67371aa ima-ng sha1:8e4373315c6af96f8e9cda711e8cea40a758b039 /usr/lib64/libpthread-2.17.so

python execution:

 10 51c054e5502a21e9b68c6ea042b094cdbaad789b ima-ng sha1:543d1ffbbc5c2507b21611d5c1021a6fedc5c45a boot_aggregate
10 c19fbf497315c9334828b503cf1a083641babe25 ima-ng sha1:c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d /usr/bin/cat
10 3974c1e62b5dee0d276658dc4f4cadd556bc8760 ima-ng sha1:4c69859c62daec5e8e7978aa1f8334b6003edcd3 /usr/lib64/ld-2.17.so
10 ae8751b3ec20b322a6bbb87f32c9691432ceef83 ima-ng sha1:7dc7e09fa16451aaed5363fc5dedfd3ce5b1634a /usr/lib64/libc-2.17.so
10 b23e8af2a440dd3e4b78c3428f4e1a400f72574a ima-ng sha1:5ee3ada95c0b0f70765d9c07b5f769ff7a54f5b6 /usr/bin/ls
10 4289af40ded01a99e803579b4d0a6fbc67140e55 ima-ng sha1:79f50f805b118af664597a554d51219df6f1c461 /usr/lib64/libselinux.so.1
10 02112f11302cecbee34fa2425efa76856712339b ima-ng sha1:4f4228771ef954ec28b4bc9f91a0087b37c2ac4b /usr/lib64/libcap.so.2.22
10 2bec4a064a8c95677a0abd54c1efa6b3fb22c18e ima-ng sha1:bc5a3f54716c38af38538faf40f0c779c6c59d19 /usr/lib64/libacl.so.1.1.0
10 c511b44f72045cb62545f92a77f9d5915fff5b30 ima-ng sha1:91c7e62f3e16691e53c49f045fab4be2f9cfe4ce /usr/lib64/libpcre.so.1.2.0
10 409393a5a757759ba3ad8c503d551b7d5569f17d ima-ng sha1:d611ddd0729ea9422c4b9bdbb2fa8a63fba897e6 /usr/lib64/libdl-2.17.so
10 a11004963cf262b0405465e9d39a5ad531a638e2 ima-ng sha1:7c93acbdea5e704954d9c1e723c2aa6b3073810a /usr/lib64/libattr.so.1.1.0
10 abbc13ef2a738ac8df1c33f1baa5c233a67371aa ima-ng sha1:8e4373315c6af96f8e9cda711e8cea40a758b039 /usr/lib64/libpthread-2.17.so
10 cb270e0ddbae6b04accdac7478cc2f5f4d703ea9 ima-ng sha1:3d7e77ef34fddefee3ae9f1dff3ef896d6947702 /usr/bin/python2.7
10 d602fe3b70aa5ff11c47b69db433144629af74be ima-ng sha1:77cbe5e6860bc94956471d50ecf0dffe2c73c01e /usr/lib64/libpython2.7.so.1.0
10 6eb99fd3035f9823f15f5f45bb35ccb7c6c9e19f ima-ng sha1:adf472a09b4af8d3c878d6aa0cce0d20871f0138 /usr/lib64/libutil-2.17.so
10 ddbfb20378e69b4b2503e82b0728948bf1d6ecbc ima-ng sha1:1030f25880be0ee9dccff98d2a83c445d24b7de9 /usr/lib64/libm-2.17.so
10 85ea7aa93c4b597ca6197a7b7510a50556878a48 ima-ng sha1:e9e68ce9636e946e6f78cc1568cebd0f2ab6baee /usr/lib64/python2.7/lib-dynload/readline.so
10 b759407cd4454ab1d3a7a005e7431452edd6956b ima-ng sha1:58a3ac9b3246e60dffb298a0e192f15aa6cb0c7f /usr/lib64/libreadline.so.6.2
10 6a9953d143918686bff31b00ef4017e548f6c723 ima-ng sha1:29d2074abc75c8a5e1cf1361c4a6c9c583a99b88 /usr/lib64/libtinfo.so.5.9

As you can see with this policies IMA only check executables and libraries, If we want to see all the files that are open or read in the system,the following policy should be added:


[root@webmexica ~]# cat politicas
measure func=FILE_MMAP mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ   <-------


load the policy:

[root@webmexica ~]# cat /home/politicas >/sys/kernel/security/ima/policy


We are going to make a test opening /etc/hosts file, and then check the logs:


 [root@webmexica ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

[root@webmexica ~]#  cat /sys/kernel/security/ima/ascii_runtime_measurements

 10 6bb8f03d9309d2d7b196c85dc560064910f07b92 ima-ng sha1:79e8b0c87c61f2446de63b5b1ef9c9bb63f8adda /usr/lib64/security/pam_namespace.so
10 91108d3ecfacad04e91f7ef2b920591d0de491a0 ima-ng sha1:3105a7e07165356ffc4aaf10f03ce6ae2e7c61dd /usr/lib64/security/pam_lastlog.so
10 a6a536b1c8784752b1483ecd87d6920f00fedefb ima-ng sha1:742c23a59a1a8c3cd156862a677acfdd41432c09 /usr/lib64/libfreeblpriv3.so
10 e3eb1f76fcf148d3416c6a8df46c2d4ed59c5fb6 ima-ng sha1:f3362e50370756cdcbf0532407fd0d868724e3f3 /usr/bin/id
10 e86e62ac7a712125c7e222c805e4ab2346d7a84c ima-ng sha1:5b2cb2adea6d8448e58a4c1393c421796dbe9038 /usr/bin/hostname
10 bf3ac285ce1acfbeab933dde63a37de95517d71d ima-ng sha1:3eb29305293b830d4545975f2f368b90ef934670 /usr/libexec/grepconf.sh
10 abccc345b46e11129277b24bcf05e5b71a013834 ima-ng sha1:357aec665c5fd77179efea474ac025bb4d425baf /usr/bin/grep
10 5202f0c81e61abdd62f4d2d92c477f7884b697c6 ima-ng sha1:1100c00ae088221a100f0d21af88daf52db3cd25 /usr/bin/tty
10 864d099e3f90608ad5eda5e73d276588f6c66f2e ima-ng sha1:c5209b6992b5ca6a8b152dddd739b2fcf5e0dcdd /usr/bin/tput
10 1a70f8dbec6b97229023083bc354d709ae854d7a ima-ng sha1:c7f87ae681e30a203f89a71dd521fd3709ec85f7 /usr/bin/dircolors
10 f40f1723157ae150d5b5ccc37ab66389d1e5a9d3 ima-ng sha1:184aeb7dee7830dd3b249667e49e7ca9ac449e4b /usr/bin/vi
10 28c729b5a93b05e10792ef243fe2ebe3633739af ima-ng sha1:b2bb925811ae094415d010772c66c47f5b98ec62 /usr/bin/top
10 7672622380082f8ab5deb8805feec92240efa9bd ima-ng sha1:9cc96a710ae46b17f4e9ebfc1431d207458ad2ca /usr/lib64/libprocps.so.4.0.0
10 ae846e3d4d6a54b5e1cf1fd4ca18eafa8960afe7 ima-ng sha1:7893e9e1c5cc2d5cc386c5ba23fe29429f30e952 /usr/lib64/libncurses.so.5.9
10 8b4b24d41c48bbbd1db39e0c7cdb2cc994149fa8 ima-ng sha1:fd8e9f895913a31afcfa1f01390517f3fd461658 /usr/lib64/libnuma.so.1
10 e63ae45a8f56da7e6e667d1a16316e2e618cf05c ima-ng sha1:47ab3da9a56650a8d6dcdf73554ba540568f7c32 /usr/libexec/postfix/pickup
10 368bf757b0f82138474b0b7cc45418e646c47fb2 ima-ng sha1:3a6a730500993cf577cd2563d8e8216b155be907 /usr/lib64/mysql/libmysqlclient.so.18.0.0
10 534e10f7d23ae218b09e990d0b7a8229d8658bb3 ima-ng sha1:2f2b9b54cd489c31cec0982da6bb035aed0f30d2 /usr/lib64/libssl.so.1.0.1e
10 d1baa1ab088143e7c7d806910cd281dde0ec4df4 ima-ng sha1:bc88edf158618c8085bb295aa64a7ae99eca8057 /usr/lib64/libdb-5.3.so
10 ff1ff048c73b80f8f882278fd9f7b78f7dddbf5b ima-ng sha1:3c80ac33d4bddd909d9e87a630eab56371f5e9e2 /usr/lib64/libstdc++.so.6.0.19
10 5c5dd931394b563f0c938e188fb387f896a5692a ima-ng sha1:ca8080b67b84053f9f492ee14f931dd0418c10c9 /etc/ld.so.cache
10 3a73f7f3041807b280618a03a232e5d8a052ba30 ima-ng sha1:fdedd7a53eb128c4973b4437856e6b8f23ca338a /usr/lib/locale/locale-archive
10 90d0aba46c0898b9700ddc651e54879c16412062 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /sys/kernel/security/ima/ascii_runtime_measurements
10 15c8272e21f6dc9b75116dcc9c07bf216e71a8ef ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/interrupts
10 af4bf8ea3bb3bcb2297bb49268456f4d4f6fddf3 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/stat
10 325251b013a98518b16902cd8d432de49d1ecdff ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/79/smp_affinity
10 3df0a1c81ee8a5580f8bff3e8fc215e65ecc2446 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/45/smp_affinity
10 21ed48de75d057ea2c7f6754fa40af6de4a3553f ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/75/smp_affinity
10 d4a57327eac738a0d5223d0cef8089d0e50f77c9 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/51/smp_affinity
10 fc30eb92aa36c6c25a787f8ab64cb9d35f531785 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/50/smp_affinity
10 1028ae7389c02f2b814af1ef0af48e8773174540 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/82/smp_affinity
10 d0930cd1ea95f2511259d05eef567dd06b1c7bf8 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/80/smp_affinity
10 d08b2a5209e931047ec47da2093cb870ec9c7ce6 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/39/smp_affinity
10 69ca796996d9592b197693c6a9b6c3eb9d4cc8d8 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/77/smp_affinity
10 043668d998db1ff0177cf706db647f2c6898a842 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/71/smp_affinity
10 2a184142ee7b0773af8381d2eec82a41db938ccb ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/43/smp_affinity
10 26f1c63a20cb81f44b3be121ba1481fd7f2d60a3 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/37/smp_affinity
10 54d93bce95b42e3bb5ddfc57aae7947de1a65791 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/83/smp_affinity
10 9697ef9403dedfe9526fe7642c9cdee0ae095028 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/48/smp_affinity
10 8f0c00e622da6a9ef917fa667f797c6f9fec1595 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/47/smp_affinity
10 bb213ed0a4977f43606c2ae93d5c4dd15957dafa ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/41/smp_affinity
10 51c3d578e73dc21af6188e69555eae9272e2be85 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/irq/81/smp_affinity
10 4b155acd9378e65a3a9e8ba59a04fa864ae936fa ima-ng sha1:dcc839541e3f8aecd0b29ef5dfbaea96951f03bb /root/politicas
10 754725bb43c4da931a94f2e23e931597273ec461 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/1967/cgroup
10 abc82976af895960da577f677481c2665b50c0ac ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /proc/1587/cgroup
10 c96ac4e60a69e56489bb824aac87684bbedae4f2 ima-ng sha1:6accc2d80d081ca905147e00a8a7f5c9c2188acc /etc/hosts


As you can see, now all the files that a "cat /etc/hosts" use are measure by ima


With this policy, ima displays many lines in the logs, we can for example tell IMA not to measure the /proc directory:

[root@webmexica ~]# cat politicas
#NO medir PROC
dont_measure fsmagic=0x9fa0
measure func=FILE_MMAP mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ

[root@webmexica ~]# cat /home/politicas >/sys/kernel/security/ima/policy

[root@webmexica ~]#  cat /sys/kernel/security/ima/ascii_runtime_measurements

 10 07e4619d1595046c982c1c3fa6b938f7029e86cc ima-ng sha1:89f1510e87108c4a06a4ec224d7a3b78fc781adb /usr/lib/modules/4.11.4/kernel/net/ipv4/inet_diag.ko
10 55ffb6b96c29e2c883829d983de1275964f9af1c ima-ng sha1:8e5b0153e801a27d2e65e72b39ca34717ea563ca /usr/lib/modules/4.11.4/kernel/net/ipv4/udp_diag.ko
10 59d3c6213029fb6dfed62fcf6edac83ae3fd1cc3 ima-ng sha1:fa7728134f068f5e920cf11bf4f0b90e69d27f4d /usr/lib/modules/4.11.4/kernel/net/ipv4/tcp_diag.ko
10 e8f74270dc6d379c4d746a311225b8ec8e0ee4c9 ima-ng sha1:ebb578736bd601fc6ae53e60e1dcef1a1bbc2b3b /etc/nsswitch.conf
10 a2e8b429b8eee5a2e36d05d3e60f08fbfb1c8b04 ima-ng sha1:3a07f5d53785c7207f1d53657d65bbf86fb1686f /usr/lib64/libnss_files-2.17.so
10 94af35732167295472ee0a101d581063315f2d0f ima-ng sha1:dd99509345613c64ff5011e7db0dff0ba800911a /etc/services
10 38b769f29631f8ad63aeeaab46dcff28b26da13e ima-ng sha1:39bd512649ce9c26bc38ad402e14233fff50d5cd /usr/lib/modules/4.11.4/kernel/net/dccp/dccp.ko
10 7ae1003ddfb517b3231b183a4588d28d4163f5ab ima-ng sha1:32f6181e79b4db2888eec7cf9d59ec5877539603 /usr/lib/modules/4.11.4/kernel/net/dccp/dccp_diag.ko
10 2c7584986d7b5bf2fe43677e62012ce781ef3e24 ima-ng sha1:5f1a681e8c6e75747ef815ffefc20ee0d1892b49 /etc/resolv.conf
10 c96ac4e60a69e56489bb824aac87684bbedae4f2 ima-ng sha1:6accc2d80d081ca905147e00a8a7f5c9c2188acc /etc/hosts
10 e1984efde42c3c29684b5e2db31f850fe931f720 ima-ng sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 /sys/fs/cgroup/systemd/system.slice/systemd-udevd.service/cgroup.procs
10 28c729b5a93b05e10792ef243fe2ebe3633739af ima-ng sha1:b2bb925811ae094415d010772c66c47f5b98ec62 /usr/bin/top
10 7672622380082f8ab5deb8805feec92240efa9bd ima-ng sha1:9cc96a710ae46b17f4e9ebfc1431d207458ad2ca /usr/lib64/libprocps.so.4.0.0
10 35faa0e3a72e75bce7114727cdfef617a6c535e1 ima-ng sha1:6c55a4b3b7b29567c6fc979cadeb4c8862176d2b /usr/lib64/libsystemd.so.0.6.0
10 ae846e3d4d6a54b5e1cf1fd4ca18eafa8960afe7 ima-ng sha1:7893e9e1c5cc2d5cc386c5ba23fe29429f30e952 /usr/lib64/libncurses.so.5.9
10 6a9953d143918686bff31b00ef4017e548f6c723 ima-ng sha1:29d2074abc75c8a5e1cf1361c4a6c9c583a99b88 /usr/lib64/libtinfo.so.5.9
10 02112f11302cecbee34fa2425efa76856712339b ima-ng sha1:4f4228771ef954ec28b4bc9f91a0087b37c2ac4b /usr/lib64/libcap.so.2.22
10 ddbfb20378e69b4b2503e82b0728948bf1d6ecbc ima-ng sha1:1030f25880be0ee9dccff98d2a83c445d24b7de9 /usr/lib64/libm-2.17.so
10 3547f9c6e16ac644fdf29aa880ae8a3d2df39315 ima-ng sha1:1b8a16c1fcbe0fdb81372b3dbad007500bfa439c /usr/lib64/librt-2.17.so
10 7ec8af909fc50e7529a54d1edac9873dcd203643 ima-ng sha1:49b1d09963fae4940fd392f226e5b121aef4e04d /usr/lib64/libgcrypt.so.11.8.2
10 1b722893d1cacfdf18e23638e35f3a6951b9269d ima-ng sha1:c116da44a183d735e96e27acb66a3341859314d3 /usr/lib64/libgpg-error.so.0.10.0
10 b3ecda88cdfe50a9c4d2d2c5967d58d7792eaa91 ima-ng sha1:3fe9e05d1fb377c7d1c5a18e28bf483b826ada51 /usr/lib64/libresolv-2.17.so
10 fdf003d465f06fca2854254f3ad746dd0a28c017 ima-ng sha1:643658533ce248c7a45cf3309128b4bf6b7eafdf /usr/lib64/libdw-0.166.so
10 a11004963cf262b0405465e9d39a5ad531a638e2 ima-ng sha1:7c93acbdea5e704954d9c1e723c2aa6b3073810a /usr/lib64/libattr.so.1.1.0
10 55ea11d55d81ad1d2c4d028da6e04fe77a9e3df6 ima-ng sha1:872abe954e3ac7788f10b318fcf58ac70f980f77 /usr/lib64/libelf-0.166.so
10 079ca8bbb1c8d45eefb11fbac28dfc627dbc2e75 ima-ng sha1:391a9ae5d49141bb006599d6c07beac58bff7258 /usr/lib64/libbz2.so.1.0.6
10 0705e2d7d0de4dc888871c0480beb96e2b15791d ima-ng sha1:c06ae9b589901858a10f4062d0c95c931b77fbe5 /usr/share/locale/locale.alias
10 8b4b24d41c48bbbd1db39e0c7cdb2cc994149fa8 ima-ng sha1:fd8e9f895913a31afcfa1f01390517f3fd461658 /usr/lib64/libnuma.so.1
If you want to see where that magic number came out in the /proc policy you can check here



Policy to measure only executables and libraries from the user "prueba" and dont measure some system directories:


dont_measure fsmagic=0x9fa0
dont_measure fsmagic=0x62656572
dont_measure fsmagic=0x64626720
dont_measure fsmagic=0x01021994
dont_measure fsmagic=0x858458f6
dont_measure fsmagic=0x73636673
measure func=FILE_MMAP mask=MAY_EXEC uid=1100
measure func=BPRM_CHECK mask=MAY_EXEC uid=1100


[root@webmexica ~]# id prueba
uid=1100(prueba) gid=1100(prueba) groups=1100(prueba)


 -sh-4.2#  cat /sys/kernel/security/ima/ascii_runtime_measurements
10 51c054e5502a21e9b68c6ea042b094cdbaad789b ima-ng sha1:543d1ffbbc5c2507b21611d5c1021a6fedc5c45a boot_aggregate
10 23975b10c53e626b34254afd71c861f5d9570c69 ima-ng sha1:10a3bb3f0de17a773b0612cce90ec8f1938442af /usr/bin/bash
10 3974c1e62b5dee0d276658dc4f4cadd556bc8760 ima-ng sha1:4c69859c62daec5e8e7978aa1f8334b6003edcd3 /usr/lib64/ld-2.17.so
10 6a9953d143918686bff31b00ef4017e548f6c723 ima-ng sha1:29d2074abc75c8a5e1cf1361c4a6c9c583a99b88 /usr/lib64/libtinfo.so.5.9
10 409393a5a757759ba3ad8c503d551b7d5569f17d ima-ng sha1:d611ddd0729ea9422c4b9bdbb2fa8a63fba897e6 /usr/lib64/libdl-2.17.so
10 ae8751b3ec20b322a6bbb87f32c9691432ceef83 ima-ng sha1:7dc7e09fa16451aaed5363fc5dedfd3ce5b1634a /usr/lib64/libc-2.17.so
10 a2e8b429b8eee5a2e36d05d3e60f08fbfb1c8b04 ima-ng sha1:3a07f5d53785c7207f1d53657d65bbf86fb1686f /usr/lib64/libnss_files-2.17.so
10 e3eb1f76fcf148d3416c6a8df46c2d4ed59c5fb6 ima-ng sha1:f3362e50370756cdcbf0532407fd0d868724e3f3 /usr/bin/id
10 4289af40ded01a99e803579b4d0a6fbc67140e55 ima-ng sha1:79f50f805b118af664597a554d51219df6f1c461 /usr/lib64/libselinux.so.1
10 c511b44f72045cb62545f92a77f9d5915fff5b30 ima-ng sha1:91c7e62f3e16691e53c49f045fab4be2f9cfe4ce /usr/lib64/libpcre.so.1.2.0
10 abbc13ef2a738ac8df1c33f1baa5c233a67371aa ima-ng sha1:8e4373315c6af96f8e9cda711e8cea40a758b039 /usr/lib64/libpthread-2.17.so
10 e86e62ac7a712125c7e222c805e4ab2346d7a84c ima-ng sha1:5b2cb2adea6d8448e58a4c1393c421796dbe9038 /usr/bin/hostname
10 bf8497999e8c9c7784bd12f82fe8b414bc61b5ac ima-ng sha1:55cd99d0a7d663cae07e7fadbe84b2ba0411d6fe /usr/lib64/libnsl-2.17.so
10 bf3ac285ce1acfbeab933dde63a37de95517d71d ima-ng sha1:3eb29305293b830d4545975f2f368b90ef934670 /usr/libexec/grepconf.sh
10 abccc345b46e11129277b24bcf05e5b71a013834 ima-ng sha1:357aec665c5fd77179efea474ac025bb4d425baf /usr/bin/grep
10 5202f0c81e61abdd62f4d2d92c477f7884b697c6 ima-ng sha1:1100c00ae088221a100f0d21af88daf52db3cd25 /usr/bin/tty
10 864d099e3f90608ad5eda5e73d276588f6c66f2e ima-ng sha1:c5209b6992b5ca6a8b152dddd739b2fcf5e0dcdd /usr/bin/tput
10 1a70f8dbec6b97229023083bc354d709ae854d7a ima-ng sha1:c7f87ae681e30a203f89a71dd521fd3709ec85f7 /usr/bin/dircolors
10 77780231132a699c14e28cce9404a54ccee4cfae ima-ng sha1:9120ffedc3290dd81f80ccffcb8693ce16d76c37 /usr/sbin/consoletype
10 f0c05c7c6cc564b2821283662ede611508125fd0 ima-ng sha1:c86d9a79e2b7d2192d799e68cd6f62b298af44ab /usr/bin/date

Nice :)

I hope you find this helpful

More in part 2...


Publicadas por a la/s

No hay comentarios.:

Publicar un comentario

Suscribirse a: Comentarios de la entrada (Atom)