Linux Integrity Measurement Architecture (IMA) » History » Version 9

« Previous - Version 9/66 (diff) - Next » - Current version
Andreas Steffen, 29.04.2014 09:41

Linux Integrity Measurement Architecture (IMA)¶

Linux Integrity Measurement Architecture (IMA)

Using Trusted Network Connect via IKEv2 EAP-TTLS, a Policy Server can do a TPM-based remote attestation of the IMA process running on a Linux Client:

Activate IMA in the Linux Kernel¶

Ubuntu 14.04 LTS is one of the few Linux distributions which have IMA capability already compiled into their Linux kernel (CONFIG_IMA=y). This has the advantage that no special kernel must be built which can become quite involved if you intend to use IMA in conjunction with Secure Boot requiring a signed kernel. With Ubuntu 14.04 LTS, activating IMA in the kernel is a piece of cake; just add the boot option ima_tcb to the /etc/default/grub configuration file

GRUB_CMDLINE_LINUX="ima_tcb"

and generate an updated /boot/grub/grub.cfg file automatically using the command

sudo grub-mkconfig

Configure the IMA Policy¶

The default IMA policy that is hard-coded into the kernel causes quite a lot of measurement violations which corrupt the content of the PCR10 register so that reliable remote attestation becomes impossible. The cause for the violations is the following default policy entry

measure func=FILE_CHECK mask=MAY_READ uid=0

which measures all files which are read by root. These are mainly configuration files, some of which seem to change during the actual measurement thus causing the violations. We want to overwrite the default IMA policy at the earliest possible boot stage which can be done by adding the following ima_policy script to the /etc/initramfs-tools/scripts/init-top/ directory

#!/bin/sh

PREREQ="" 

prereqs()
{
    echo "$PREREQ" 
}

case $1 in
# get pre-requisites
prereqs)
    prereqs
    exit 0
    ;;
esac

# mount securityfs
SECURITYFSDIR="/sys/kernel/security" 
mount -t securityfs securityfs ${SECURITYFSDIR} >/dev/null 2>&1

# set IMA policy
cat << @EOF > ${SECURITYFSDIR}/ima/policy
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0
@EOF

and include it in the initramfs of the latest kernel by executing

sudo update-initramfs -u

IMA Measurement Log¶

With the update /boot/grub/grub.cfg boot menu and /boot/initrd.img-3.13.0-xx-generic initramfs in place, you can reboot the Linux client and you should then be able to see the IMA measurement log

ls /sys/kernel/security/ima
ascii_runtime_measurements  binary_runtime_measurements  runtime_measurements_count  violations

sudo cat /sys/kernel/security/ima/runtime_measurements_count
1458

sudo less /sys/kernel/security/ima/ascii_runtime_measurements
10 ef2be9c304d9bbbd8ecb40f0d296176d2b5d3078 ima-ng sha1:4663ed64e5dbbb9755a0914b1a15fa76a1797806 boot_aggregate
10 ef411bae164fd624ea94fc9ef82f892c82d78dcd ima-ng sha1:bbe98e20b850f3907611fb96354b5e007a9179f4 /init
10 bd32e452e14f84eb22d6ac9e9e1c61eeac3cd7a4 ima-ng sha1:dc3e621c72cde19593c42a7703e143fd3dad5320 /bin/sh
10 eefd4a6bebd6b001ff587c2335a3dd03535d5a17 ima-ng sha1:d11ce2e31ab441be705df3061a3d6fb7e41a504e /lib64/ld-linux-x86-64.so.2
10 8e8844cba6dc9df17c6980122890487f818e4b28 ima-ng sha1:34efdbd6d562ac04f7e02195022c3f65f7553bd2 /etc/ld.so.cache
10 1f60da15c941fe25a18ee4e8378f0bf3b447a0ab ima-ng sha1:65228a2bbff8ca52d2040ac55499b348f648cc81 /lib/x86_64-linux-gnu/libc.so.6
10 223eb68bfb9f72922506747d3bc4dd76d813b5da ima-ng sha1:65030975e1f3887efd00fbb568f00409b7c256d0 /conf/arch.conf
10 f548183aeb29921c995b625a93c4acd3ef7faaec ima-ng sha1:feb140057713c4f1e383d79b71f6efdafbed7476 /conf/initramfs.conf
10 de528d81c1c203a597c313f54bbe45d54fd0cc18 ima-ng sha1:2231aa397f5b6327973d8fcaf540735fd1e39496 /conf/conf.d/resume
10 cf9a07066457e26219a6f345957a727b07096d8b ima-ng sha1:2199e965dcc97c6814b78528e5a5e690a29c0fd5 /scripts/functions
10 246635237cb7beaec50809203292f8623db6a83f ima-ng sha1:c7c7f8b3ae433ebe08189f143840f737d7711936 /scripts/init-top/ORDER
10 d0dc06f1a392d4505448572cd520b1ba6e53ff14 ima-ng sha1:4975101256fea3bf1e9a6a9ea5a4d97947f4097d /scripts/init-top/all_generic_ide
10 e2aab17444614530ec77595ef3f361bb00490100 ima-ng sha1:76dfee4b97d5327820a87ad4ec99a132a5f32cca /scripts/init-top/blacklist
10 af1d31f96be84501183bf1b6fdba3c06f3a55d9b ima-ng sha1:fe2cc666120b21efa68dd648b76a42b9dc3ded6f /scripts/init-top/ima_policy
10 465108cd35c590785a52eaecd9e997a0f570ada5 ima-ng sha1:a3f4886df912c0550f4e32cec1814e7f92e0218b /sbin/init
10 c78f4cecff4b004c9956c84628e6514a4d39881d ima-ng sha1:d11ce2e31ab441be705df3061a3d6fb7e41a504e /lib/x86_64-linux-gnu/ld-2.19.so
10 847203248af633d214e91dd1b3397e9d462771c7 ima-ng sha1:26837b475d0fb26d4256ce1744f52b264d67b58f /lib/x86_64-linux-gnu/libnih.so.1.0.0
10 367f76edbab585e2441bed7ee66fab6c7a1c0dad ima-ng sha1:d52c92a8019c259f40ae1240372dd598c2a1c54c /lib/x86_64-linux-gnu/libnih-dbus.so.1.0.0
10 b35e07f368b2d129dc9f3fd8ae325a9e3cf01a36 ima-ng sha1:d3892d8e70b27c4638ca8fbeceeed0386b7d672e /lib/x86_64-linux-gnu/libdbus-1.so.3.7.6
10 465a4a6342823c30427ca8374de54acb26bbb9fb ima-ng sha1:580764ad1cb67e7c37f49581ebf6369456795440 /lib/x86_64-linux-gnu/libselinux.so.1
10 5e8baf31a7f08a8e103f0f8174a3432e39161262 ima-ng sha1:91de58ef6be75cf952caecab0f2830c5b3527bbc /lib/x86_64-linux-gnu/libjson-c.so.2.0.0
10 d482b0fa3c1755c99380c279d73b77088c2a5d62 ima-ng sha1:011ea7ea14e6874e9da0245e4e6ed472d02814ed /lib/x86_64-linux-gnu/librt-2.19.so
10 a2733a6feac3a4d293af84f2ce47c1305cabc870 ima-ng sha1:65228a2bbff8ca52d2040ac55499b348f648cc81 /lib/x86_64-linux-gnu/libc-2.19.so
10 5da2378816b820601c8c708614784a7b5de5e8b8 ima-ng sha1:9ecd4089b74f1036c9825c2d082356e9ffb964f3 /lib/x86_64-linux-gnu/libpthread-2.19.so
10 cb8fc9859356d3802b365108d4a8baadf9251135 ima-ng sha1:9afccef2b8c4944cd78d25b87bc9198a3cb82406 /lib/x86_64-linux-gnu/libpcre.so.3.13.1
10 a3d30aa5bc7a24c3dd341d2eaa2ae4824915245a ima-ng sha1:cf26e327ee6f69694b080ae66c2572a6cb9c9c66 /lib/x86_64-linux-gnu/libdl-2.19.so
10 8b39d375a031075939a1621b2b470d0284c1f534 ima-ng sha1:c799f2ccebf69f87afc91520793631b3f0b9692b /lib/x86_64-linux-gnu/libnss_compat-2.19.so
10 ffab1636ff997c9b5040b637fe1cbfeae36988a5 ima-ng sha1:b74430744e6927384b34fd93385f8229b53e2dd7 /lib/x86_64-linux-gnu/libnsl-2.19.so
10 980f0b3422677f12d5af8850067e0b777358a013 ima-ng sha1:7fe4a578af95b0ebf1426573d088f110e5cdd8fe /lib/x86_64-linux-gnu/libnss_nis-2.19.so
10 60bd11e71fcd550996d557efaf1206832fe60cc5 ima-ng sha1:e12cc6838353f93bf43663081293d5891479f96f /lib/x86_64-linux-gnu/libnss_files-2.19.so
10 214c1d89e94ef8e89248a9b010cb7c050b6eef37 ima-ng sha1:8599d27418cf321a855d0c79091f1dfd5bec202d /bin/hostname
10 cb69d6e743aa7b96f011e7b74a37493bca7c5c26 ima-ng sha1:647437c3d7543c7c8d381903834c9ef42eb4cf69 /bin/sh
10 8327121efedbc427cf3f1c80d2d02a015fe422b0 ima-ng sha1:99085b3a04ebce2c38b2dee931a23f088e84bb16 /bin/plymouth-upstart-bridge
10 5cd0c8ff35ffe9948c379ee132ba60963875d9f1 ima-ng sha1:7b655b7d4919cbe1948e40fe04ce442217ce1fd9 /lib/x86_64-linux-gnu/libtinfo.so.5.9
10 2d8f5f5298011a4b895d1417da60c07243e0afbc ima-ng sha1:1484087bd1949292c0c01dce666e03a4bfd0de57 /sbin/ureadahead
10 73a0e5567d03f9a010c3172823ec62d4bb6d13e1 ima-ng sha1:9ff8c658248661954e6b4da063284dc18abe2aa5 /lib/x86_64-linux-gnu/libply.so.2.1.0
...
10 815ace588c5cba9c560cbd44f8a805b658b21d22 ima-ng sha1:399e44c073a182583fcb34bff9f1ef22fbe5b03d /lib/modules/3.13.0-24-generic/kernel/drivers/acpi/video.ko
10 dbae20839a6395223f903297da6319a612d6db71 ima-ng sha1:040dbd5ded576311cc48f26263375497bc8db406 /lib/modules/3.13.0-24-generic/kernel/drivers/macintosh/mac_hid.ko
10 78d4061ae87e40df0dae8e32936c021544591356 ima-ng sha1:ea65564f325a81d9e0f70ef99b9edde6ac8c9e77 /lib/modules/3.13.0-24-generic/kernel/sound/soundcore.ko
10 9e970c33401f9894c08d2fc7eeb49aedf5a53771 ima-ng sha1:37a5ab56786ca71e32ab27908284f31e70e08047 /lib/modules/3.13.0-24-generic/kernel/drivers/char/lp.ko
10 485003485053de26f333f86899c2e3fe5089ed23 ima-ng sha1:32f4cb4902bd0dd582b66d0bc1e8b9add55caf3b /usr/bin/python3
10 cdd7d2565cde332628d79244d81f72f9850354f8 ima-ng sha1:d8637c4e8344a8cb70ceb44b108b11a3bea68948 /usr/sbin/rsyslogd
...

Of the nearly 1500 measurement entries only a few of them are shown. At the outset with the default IMA policy still in place, a few configuration files such as /conf/arch.conf or /conf/initramfs.conf are measured. But after the installation of the new IMA policy through the execution of the /scripts/init-top/ima_policy initramfs script, only executable files, dynamic libraries and kernel modules are measured. The listing above shows that since Ubuntu 14.04 LTS comes with a Linux 3.13 kernel, the new ima-ng format is used. It can also easily be easily checked that no violations have occured

sudo cat /sys/kernel/security/ima/violations
0

TNC Client and Server Logs¶

These logs where taken in 2012 using an early version of the strongSwan TNC Client and Server software and are based on the legacy IMA measurement format. These logs are going to be updated soon, though.

Log of the Linux TNC Client
Log of the Linux TNC Server

Since >100 kB of IMA measurement data have to be transferred, the PB-TNC batch and PA-TNC message sizes have been optimized.

strongTNC_devices.png View - strongTNC devices view (159 KB) Andreas Steffen, 04.05.2014 18:57

strongTNC_result.png View - strongTNC result view (1.73 MB) Andreas Steffen, 15.12.2014 22:46

Project

General

Profile

strongSwan

Documentation¶

Resources¶

Wiki