82 lines
3.0 KiB
Plaintext
82 lines
3.0 KiB
Plaintext
These testcases test the Integrity Measurement Architecture(IMA).
|
|
|
|
Requirements
|
|
------------
|
|
|
|
A kernel with IMA configured, mount with i_version support, openssl
|
|
and openssl-devel packages, and auditd, if enabled, with the integrity
|
|
patch, are required to build and run the IMA testsuite.
|
|
|
|
- Enabling IMA in .config will also enable CRYPTO, SECURITYFS, TCG_TPM,
|
|
and TPM_TIS.
|
|
|
|
CONFIG_IMA=y
|
|
CONFIG_IMA_MEASURE_PCR_IDX=10
|
|
CONFIG_IMA_AUDIT=y
|
|
CONFIG_IMA_LSM_RULES=y
|
|
|
|
- Both sysfs and securityfs if not mounted, will be mounted.
|
|
|
|
- The testsuite must be executed with root priveleges so that it
|
|
can access securityfs files, such as: security/ima/policy and
|
|
security/ima/ascii_runtime_measurement.
|
|
|
|
- Both openssl and openssl-devel must be installed, to build the
|
|
testsuite. At runtime, if openssl is not installed, many of the
|
|
tests will skipped.
|
|
|
|
- auditd, if enabled, requires the integrity patch, which is available
|
|
from https://www.redhat.com/archives/linux-audit/2009-March/msg00016.html.
|
|
|
|
- In order to re-measure a file after it changes, the file system must
|
|
be mounted with i_version support(Bugzilla 471593).
|
|
[util-linux-ng-2.14.2-2.fc11.src.rpm]
|
|
|
|
Add 'iversion' in /etc/fstab as:
|
|
dev/hdb1 /home ext2 defaults,iversion 1 2
|
|
|
|
To mount the root partition with i_version support, 'iversion' must
|
|
be added on the remount line in /etc/rc.sysinit:
|
|
# Remount the root filesystem read-write.
|
|
update_boot_stage RCmountfs
|
|
if remount_needed ; then
|
|
action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion /
|
|
fi
|
|
|
|
|
|
Dependency
|
|
----------
|
|
The testsuite is dependent on the default TCB policy being enabled, which
|
|
measures all executables, all files mmapped for execute and all files
|
|
open for read by root. For kernels 2.6.31 and greater, enable the
|
|
trusted computing base(TCB) policy using the ima_tcb=1 boot parameter.
|
|
If the TCB policy has been replaced, loading another measurement
|
|
policy will fail, as the policy may only be replaced once per boot.
|
|
Some of the policy dependency tests might also fail as well.
|
|
|
|
ima_tpm.sh: test02, verifying the PCR-10 value, requires a hard reboot.
|
|
[On Ubuntu, before running the ltp tests, disable /etc/init.d/kexec-load
|
|
and reboot.]
|
|
|
|
Run tests
|
|
---------
|
|
After doing 'make' and 'make install' from the top-level,
|
|
- execute './ltp-full-<version>/runltp -f ima' to run the entire testsuite.
|
|
- To run individual tests, cd into the IMA directory, and add testcases/bin
|
|
to PATH:
|
|
./ltp-full-<version>/testcases/kernel/security/integrity/ima/tests/
|
|
and execute the individual scripts.
|
|
|
|
System State after running the Testsuite
|
|
----------------------------------------
|
|
After running the testsuite, the default measurement policy has been
|
|
replaced with an identical policy. If you want to install a different
|
|
policy, such as an LSM specific one, a reboot is required.
|
|
|
|
More Info to look at
|
|
--------------------
|
|
http://linux-ima.sourceforge.net/ is a good place to start.
|
|
There's also IMA mailing lists
|
|
http://sourceforge.net/projects/linux-ima
|
|
--
|