Page 1 of 1

Grsec & IMA/EVM Integrity - possible?

PostPosted: Tue Jun 11, 2013 1:13 pm
by jacekalex

Is it possible to integrate Grsecurity ACL and Integrity system IMA / EVM, so that it was possible to using the / etc / grsec / policy, or another file how to configure Grsec enforces the file integrity check mechanism IMA, as currently is the case in SELinux?

Without SELinux IMA / EVM appropriate to establish all of the files on the disk, which is difficult and pointless, completely sufficient to check ELF files, and scripts in the PATH, libraries and configuration files, or only files owned by root, with the exception of logs.
In my opinion running SELinux only for integrity is pretty pointless, if a security policy corresponding to Grsec / RBAC.

Or will the development plans Grsec / Pax any RBAC integration with Integrity? :wink:

Because as far I can see, the mechanism of the EVM can be integrated with all security modules, which are in the kernel,
except Grsecurity, with no mechanism for kernel does not warrant such a precise and accurate and effective protection as Grsecurity / Pax.

Dmesg says:
Code: Select all
[0.052405] EVM: security.selinux
[0.052407] EVM: security.SMACK64
[0.052409] EVM: security.ima
[0.052410] EVM: security.capability

In addition Grsecurity policy can be easily configured, while the SELinux policies for most Linux systems there are so many errors, and the configuration is so complicated that sometimes use SELinux becomes meaningless. :evil: :cry: :evil:

Just using IMA / EVM and signing files is not very difficult:
Code: Select all
root ~> getfattr -m . -d /usr/bin/sudo
getfattr: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: usr/bin/sudo

Links: ... =Main_Page

Sorry for my English, my native language is Polish. ;)


Re: Grsec & IMA/EVM Integrity - possible?

PostPosted: Tue Jun 11, 2013 5:48 pm
by spender
What's the point of signing files if you can enforce just as strong modification protection on them through policy?

IMA is just security mumbo jumbo with some buzz words thrown in to make it "novel". See in my enlightenment framework where I invisibly disable IMA, demonstrating its uselessness (it intends to detect root-level compromises, but cannot do so in reality). We have no need for EVM, as RBAC stores no information in extended attributes, so there's no opportunity for offline attack as EVM is designed to prevent.