Skip to content

Latest commit

 

History

History
606 lines (336 loc) · 15.9 KB

REFERENCE.md

File metadata and controls

606 lines (336 loc) · 15.9 KB
Raw

Reference

Table of Contents

Classes

  • ima: Sets up IMA kernel boot flags if they are not enabled, and mounts the securityfs when they are.
  • ima::appraise: Manage IMA Appraisal To enable IMA appraisal first make sure all your locally mounted file systems with root files on them are mounted with
  • ima::appraise::fixmode: set the ima appraise mode to fix
  • ima::appraise::relabel: This module executes the script to label the files systems with the security.ima attributes and if it is complete, adds resources to set im
  • ima::policy: Manage IMA Policy * The term watch, as used here, means both IMA policy fields dont_measure and dont_appraise. Both lines

Data types

Classes

ima

Sets up IMA kernel boot flags if they are not enabled, and mounts the securityfs when they are.

Parameters

The following parameters are available in the ima class:

enable

Data type: Boolean

Enable IMA on the system

Default value: true

mount_dir

Data type: Stdlib::AbsolutePath

Where to mount the IMA securityfs

Default value: '/sys/kernel/security'

ima_audit

Data type: Boolean

Audit control. Can be set to: true - Enable additional integrity auditing messages false - Enable integrity auditing messages (default)

Default value: false

ima_template

Data type: Ima::Template

A predefined IMA measurement template format.

  • NOTE: This is only valid in kernel version >= 3.13. It is always ima in older versions.

Default value: 'ima-ng'

ima_hash

Data type: String[1]

The list of supported hashes can be found in crypto/hash_infotru.h

Default value: 'sha256'

ima_tcb

Data type: Boolean

Toggle the TCB policy. This means IMA will measure all programs exec'd, files mmap'd for exec, and all file opened for read by uid=0. Defaults to true.

Default value: true

log_max_size

Data type: Integer[1]

The size of the /sys/kernel/security/ima/ascii_runtime_measurements, in bytes, that will cause a reboot notification will be sent to the user.

Default value: 30000000

ima_tcb

Toggle the TCB policy

  • IMA will measure all programs called via exec, files copied via mmap, and all files opened by uid=0.

Default value: true

log_max_size

The size of /sys/kernel/security/ima/ascii_runtime_measurements, in bytes, that will cause a reboot notification will be sent to the user.

Default value: 30000000

ima::appraise

Manage IMA Appraisal

To enable IMA appraisal first make sure all your locally mounted file systems with root files on them are mounted with i_version option.

(TODO: check for this and set if possible)

Then include the ima::appraise module in your classes.

It is also recommended, although not necessary, to enable the management of the ima

policy by including the ima::policy module in you classes because the default

policy is over zealous

When puppet runs it will configure the system to reboot into ima_appraise mode fix.

The system will then need to be rebooted and will notify with an ima_appraise_fix_reboot notice.

When the system is rebooted it will be in fix mode and it will label all the files with the required security.ima filesystem attribute. This takes a while. Puppet will notify not to reboot until this script completes. Puppet will notify with an ima_appraise_enforce_reboot notice when the script completes.

When the system is rebooted it will boot into ima_appraisal in enforce mode.

If you need to update files after the system has been in enforce mode:

  1. Set ima::appraise::force_fixmode to true,
  2. Run puppet and reboot when prompted.

When you have completed the upgrade, run the script /usr/local/bin/ima_security_attr_update.sh.

When the completes, set force_fixmode back to false, rerun puppet, and reboot when prompted.

Troubleshooting:

Parameters

The following parameters are available in the ima::appraise class:

enable

Data type: Boolean

Enable IMA appraise capability. Setting to false will remove IMA appraise boot settings from the system.

Default value: true

relabel_file

Data type: Stdlib::AbsolutePath

The file to touch when the file system needs relabeling

Default value: "${facts['puppet_vardir']}/simp/.ima_relabel"

scriptdir

Data type: Stdlib::AbsolutePath

The directory to place scripts.

Default value: '/usr/local/bin'

force_fixmode

Data type: Boolean

This will force the system into fix_mode so you can update files and then relabel the system - requires a reboot.

Default value: false

ensure_packages

Data type: Simplib::PackageEnsure

Ensure setting for all packages installed by this module

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

ima::appraise::fixmode

set the ima appraise mode to fix

Parameters

The following parameters are available in the ima::appraise::fixmode class:

relabel_file

Data type: StdLib::AbsolutePath

relabel

Data type: Boolean

ima::appraise::relabel

This module executes the script to label the files systems with the security.ima attributes and if it is complete, adds resources to set ima_appraise to enforce mode.

When a the file system needs to be labeled a file, relabel file is created in the appraise class. If this file exists then the script to relabel the files is called and passed the file name. The script will remove the file when it is complete.

The fact ima_security checks the status of the file and also checks if the script is running. If the script is active, no resources are created, if the relabel file exists and and the script is not active, it launches the script if the file does not exist, it calls the class to create the resources for setting the system into enforce mode.

@param relabel_file The location of the file that that indicates a labeling of the file system is needed.

@param scriptdir The directory containing the scripts.

Parameters

The following parameters are available in the ima::appraise::relabel class:

relabel_file

Data type: Stdlib::AbsolutePath

scriptdir

Data type: Stdlib::AbsolutePath

Default value: $ima::appraise::scriptdir

ima::policy

Manage IMA Policy

Parameters

The following parameters are available in the ima::policy class:

manage

Data type: Boolean

Manage IMA policy capability. Setting to false will stop IMA policy services on the system.

Default value: true

dont_watch_proc

Data type: Boolean

Disable IMA hashing of procfs filesystems

Default value: true

dont_watch_sysfs

Data type: Boolean

Disable IMA hashing of sysfs filesystems

Default value: true

dont_watch_debugfs

Data type: Boolean

Disable IMA hashing of debugfs filesystems

Default value: true

dont_watch_tmpfs

Data type: Boolean

Disable IMA hashing of tmpfs filesystems

Default value: true

dont_watch_ramfs

Data type: Boolean

Disable IMA hashing of ramfs filesystems

Default value: true

dont_watch_securityfs

Data type: Boolean

Disable IMA hashing of securityfs filesystems

Default value: true

dont_watch_devpts

Data type: Boolean

Disable IMA hashing of /dev/pts filesystems

Default value: true

dont_watch_binfmtfs

Data type: Boolean

Disable IMA hashing of binfmtfs filesystems

Default value: true

dont_watch_selinux

Data type: Boolean

Disable IMA hashing of selinux_fs filesystems

Default value: true

dont_watch_nfs

Data type: Boolean

Disable IMA hashing of nfs filesystems

Default value: true

dont_watch_cgroup

Data type: Boolean

Disable IMA hashing of cgroup filesystems

Default value: true

dont_watch_initrc_var_log_t

Data type: Boolean

Default value: true

dont_watch_rpm_var_cache_t

Data type: Boolean

Default value: true

dont_watch_puppet_log_t

Data type: Boolean

Default value: true

dont_watch_auditd_log_t

Data type: Boolean

Default value: true

dont_watch_auth_cache_t

Data type: Boolean

Default value: true

dont_watch_fsadm_log_t

Data type: Boolean

Default value: true

dont_watch_rsync_log_t

Data type: Boolean

Default value: true

dont_watch_getty_log_t

Data type: Boolean

Default value: true

dont_watch_nscd_log_t

Data type: Boolean

Default value: true

dont_watch_cron_log_t

Data type: Boolean

Default value: true

dont_watch_lastlog_t

Data type: Boolean

Default value: true

dont_watch_var_log_t

Data type: Boolean

Default value: true

dont_watch_wtmp_t

Data type: Boolean

Default value: true

dont_watch_list

Data type: Array[String]

A list of selinux contexts that shouldn't be watched, merged with all of the parameters above

Default value: []

measure_root_read_files

Data type: Boolean

Monitor all files opened by root

Default value: false

measure_file_mmap

Data type: Boolean

Monitor all files mmapped executable in file_mmap

Default value: false

measure_bprm_check

Data type: Boolean

Monitor all executables in bprm_check

Default value: false

measure_module_check

Data type: Boolean

Default value: false

appraise_fowner

Data type: Boolean

Appraises all files owned by root

Default value: false

Data types

Ima::Template

The Ima::Template data type.

Alias of Enum['ima', 'ima-ng', 'ima-sig']