Use TPM to seal the key this creates what is called a trusted key as it cannot be found (unencrypted) on the file system at any time.Although the key needs to be loaded at boot time, a couple of mechanisms exist to seal it away: A malicious person will need access to this key in order to tamper with the extended attributes (and if IMA is enabled, to tamper with the files). This hash/signature is validated every time the extended attributes of a resource are consulted and the action is only allowed if the hash or signature checks out. To accomplish this, EVM creates a cryptographic hash (actually an HMAC) or a signature of the extended attributes made with a key loaded at boot time. With EVM, the security sensitive extended attributes are verified against offline tampering. And IMA doesn't prevent this either since the file itself has not been tampered with.Įnter EVM, the Extended Verification Module. Once done, and the guest boots, none of the technologies in place will detect that the extended attribute has been tampered with: SELinux reads the context and treats the file as a regular /etc file. The Linux Integrity Measurement Architecture uses the security.ima extended attribute to store a valid hash of the file in order to detect and prevent offline tampering of files.īut if all this information is stored in extended attributes, then offline tampering of files (and guest images) allows an attacker to circumvent security rules: he can change the label of a file he wants access to when the guest is operational ( /etc/shadow is an obvious example to this, say making it etc_t). SELinux for instance uses the linux extended attribute to store the SELinux security context of a file, directory or other resource. Many of these security technologies use extended attributes for storing information about the state of resources on the system. This interface is called LSM (Linux Security Modules) and is used by technologies such as SELinux, SMACK and IMA as well as many others. The Linux kernel offers a security interface that allows new technologies to properly "hook in" the Linux kernel and extend its capabilities with more security-related features. Using EVM on your system is currently only recommended for development purposes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |