packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix some bugs

Browse Source
This commit is contained in:
jinlun 2024-12-10 14:11:16 +08:00
parent 266ba061b6
commit 58a2ac093d
6 changed files with 767 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Add-example-of-how-to-import-digest-list-when-using-.patch
View File

@ -1,19 +1,18 @@
From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001
From: xuce <xuce10@h-partners.com>
Date: Thu, 28 Nov 2024 21:36:23 +0800
Subject: [PATCH] Add example of how to import digest list when using IMA
From dc3260fb393cdf1163fc8b8b3e3532ead800a686 Mon Sep 17 00:00:00 2001
From: xucee <xuce10@h-partners.com>
Date: Thu, 28 Nov 2024 21:01:12 +0800
Subject: Add example of how to import digest list when using IMA
appraise
Signed-off-by: xuce <xuce10@h-partners.com>
---
secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
secconf/gen/gen_ima | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
index 6436c78..a657614 100644
--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
@@ -155,7 +155,15 @@ fi
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 6436c78..0657cdf 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -155,7 +155,14 @@ fi
if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
@ -21,8 +20,7 @@ index 6436c78..a657614 100644
+ echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to
+1)generate digest list by gen_digest_lists
+2)sign it with evmctl
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d
+el.
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_del.
+Here is an example:
+1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1 -m immutable -i I:/usr/bin/ls -d ./
+2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>

107
add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch Normal file
View File

@ -0,0 +1,107 @@
From 59722538bfc1c500ba6124aca3533ff6811c6616 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Thu, 5 Dec 2024 20:27:36 +0800
Subject: add the wget timeout mechanism and optimize the dim
check the modsign script is optimized.
---
secconf/check/check_dim | 3 ++-
secconf/check/check_modsign | 4 ++--
secconf/check/check_secure_boot | 2 +-
secconf/gen/gen_modsign | 4 ++--
secconf/gen/gen_secure_boot | 2 +-
5 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/secconf/check/check_dim b/secconf/check/check_dim
index bfad32d..0166a97 100644
--- a/secconf/check/check_dim
+++ b/secconf/check/check_dim
@@ -82,7 +82,7 @@ dim_comm()
else
echo "Skip the baseline file consistency check."
fi
-{{end}}{{ if .BaselineIsEnable }}
+{{end}}
echo "Checking whether the DIM kernel module is loaded"
lsmod | grep dim_monitor &> /dev/null
if [ $? -eq 0 ]; then
@@ -98,6 +98,7 @@ dim_comm()
echo "Error! dim_core is not loaded!"
return 1
fi
+{{ if .BaselineIsEnable }}
echo "Checking if baseline is configured..."
cat /sys/kernel/security/dim/monitor_ascii_runtime_measurements | wc -l | grep 2 &> /dev/null
if [ $? -ne 0 ]; then
diff --git a/secconf/check/check_modsign b/secconf/check/check_modsign
index 99d7a00..143d319 100644
--- a/secconf/check/check_modsign
+++ b/secconf/check/check_modsign
@@ -7,7 +7,7 @@ modsign_comm()
grub_path="/boot/efi/EFI/openEuler/grub.cfg"
fi
{{ if .Enable }}
- grep sig_enforce $grub_path &> /dev/null
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
if [ $? -eq 0 ]; then
echo "Kernel Module Signature Verification has been configured."
fi
@@ -18,7 +18,7 @@ modsign_comm()
echo "Kernel Module Signature Verification hasn't benn activated. Please restart to activate!"
fi
{{ else }}
- grep sig_enforce $grub_path &> /dev/null
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
if [ $? -eq 0 ]; then
echo "Kernel Module Signature Verification is not disable."
fi
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
index 22d5590..587deaf 100644
--- a/secconf/check/check_secure_boot
+++ b/secconf/check/check_secure_boot
@@ -16,7 +16,7 @@ secure_boot_comm()
if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
if [ $? -eq 1 ]; then
- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
+ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
if [ $? -ne 0 ]; then
echo "Secure Boot cerificate download failedPlease obtain the certificate in other ways"
return 1
diff --git a/secconf/gen/gen_modsign b/secconf/gen/gen_modsign
index 2917ea1..dc20ee3 100644
--- a/secconf/gen/gen_modsign
+++ b/secconf/gen/gen_modsign
@@ -6,14 +6,14 @@ modsign_comm()
else
grub_path="/boot/efi/EFI/openEuler/grub.cfg"
fi
- grep sig_enforce $grub_path &> /dev/null
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
{{ if .Enable }}
if [ $? -eq 0 ]; then
echo "Kernel module verification has been set and does not need to be set again."
else
get_usr_input "Check whether the grub.cfg file is modified to enable forcible signature verification in the kernel.【Y/N】"
if [ $? -eq 1 ]; then
- sed -i '/vmlinuz/s/$/ module\.sig_enforce/' $grub_path
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ module\.sig_enforce/" "${grub_path}"
if [ $? -eq 0 ]; then
echo "The kernel module verification is successful when the OS is started. The verification takes effect after the OS is restarted."
else
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index 9ace5e0..bd78d7e 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -20,7 +20,7 @@ secure_boot_comm()
else
get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
if [ $? -eq 1 ]; then
- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
+ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
if [ $? -ne 0 ]; then
echo "Certificate downloaded failed. Please obtain the certificate manually!"
return 1
--
2.33.0

265
extend-check_ima-to-check-whether-gen_ima-is-right.patch Normal file
View File

@ -0,0 +1,265 @@
From 3287a6ffcf77ac5d328994610dc40e267e800ba2 Mon Sep 17 00:00:00 2001
From: xucee <xuce10@h-partners.com>
Date: Thu, 5 Dec 2024 16:15:19 +0800
Subject: extend check_ima to check whether gen_ima is right.
---
secconf/check/check_ima | 181 +++++++++++++++++++++++++++++++++++-
secconf/gen/gen_ima | 10 +-
secconf/gen/gen_secure_boot | 2 +-
3 files changed, 184 insertions(+), 9 deletions(-)
diff --git a/secconf/check/check_ima b/secconf/check/check_ima
index cb5de0d..613d75e 100644
--- a/secconf/check/check_ima
+++ b/secconf/check/check_ima
@@ -1,9 +1,7 @@
ima_comm()
{
{{with .IMA}}
-{{ if and (eq (len .MeasureList) 0) (eq (len .AppraiseList) 0) }}
-echo "IMA is not enabled!"
-{{else}}
+
if [ ! -d /etc/ima/ ]; then
echo "The /etc/ima/ directory does not exist. Please confirm whether IMA is supported."
return 1
@@ -12,7 +10,184 @@ if [[ "$(getenforce)" == "Disabled" ]]; then
echo "IMA requires selinux to protect specific files. Please make sure selinux is enabled!"
return 1
fi
+
+measure_list=()
+appraise_list=()
+common_list=()
+
+{{range .AppraiseList}}
+appraise_list+=({{.}})
{{end}}
+
+{{range .MeasureList}}
+measure_list+=({{.}})
+{{end}}
+
+if [ -d /sys/firmware/efi ]; then
+ grub_path=/boot/efi/EFI/openeuler/grub.cfg
+else
+ grub_path=/boot/grub2/grub.cfg
+fi
+
+appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata")
+measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng")
+measure_type=ima_measure_bprm_t
+appraise_type=ima_appraise_bprm_t
+all_type=ima_all_bprm_t
+needReboot=false
+needConfigure=false
+
+check_exist_kernel_param()
+{
+ for param in "${@}"; do
+ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
+ if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then
+ needReboot=true
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+ needReboot=true
+ fi
+ done
+}
+
+check_absent_kernel_param()
+{
+ for param in "${@}"; do
+ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
+ if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
+ needReboot=true
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+ needReboot=true
+ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+ needConfigure=true
+ fi
+ done
+}
+
+if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+ check_absent_kernel_param "${appraise_param[@]}"
+ check_absent_kernel_param "${measure_param[@]}"
+elif [[ ${#appraise_list[@]} -gt 0 && ${#measure_list[@]} -gt 0 ]]; then
+ check_exist_kernel_param "${appraise_param[@]}"
+ check_exist_kernel_param "${measure_param[@]}"
+elif [[ ${#appraise_list[@]} -gt 0 ]]; then
+ check_absent_kernel_param "${measure_param[@]}"
+ check_exist_kernel_param "${appraise_param[@]}"
+else
+ check_absent_kernel_param "${appraise_param[@]}"
+ check_exist_kernel_param "${measure_param[@]}"
+fi
+
+if [[ "$needReboot" == "true" && "$needConfigure" == "true" ]]; then
+ echo "The current IMA related startup parameters are not configured correctly. Please execute the configuration script and then restart to take effect."
+ return 0
+elif [[ "$needReboot" == "true" && "$needConfigure" == "false" ]]; then
+ echo "The current IMA related startup parameters have been successfully configured. It needs to restart to take effect."
+ return 0
+elif [[ "$needReboot" == "false" && "$needConfigure" == "true" ]]; then
+ echo "The current IMA related start up parameters are valid. But they will become invalid after restarting. It needs to execute configuration script to configure."
+else
+ echo "The current IMA related start up parameters are valid and configured correctly!"
+fi
+
+if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+ echo "IMA check completed!"
+ return 0
+fi
+
+needSetSelinuxType=false
+check_selinux_type()
+{
+ SELINUX_LABEL=$(ls -Z "$2" | awk '{print $1}' | awk -F: '{print $3}')
+ if [[ $SELINUX_LABEL != "$1" ]]; then
+ needSetSelinuxType=true
+ fi
+}
+
+unique() {
+ echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' '
+}
+
+common_elements() {
+ comm -12 <(printf "%s\n" $1 | sort) <(printf "%s\n" $2 | sort)
+}
+
+remove_common() {
+ grep -Fvxf <(printf "%s\n" $2) <(printf "%s\n" $1)
+}
+
+unique_appraise_list=($(unique "${appraise_list[@]}"))
+unique_measure_list=($(unique "${measure_list[@]}"))
+common_list=($(common_elements "${unique_appraise_list[*]}" "${unique_measure_list[*]}"))
+appraise_list=($(remove_common "${unique_appraise_list[*]}" "${common_list[*]}"))
+measure_list=($(remove_common "${unique_measure_list[*]}" "${common_list[*]}"))
+
+
+for measure_file in "${measure_list[@]}"; do
+ check_selinux_type $measure_type $measure_file
+done
+
+for appraise_file in "${appraise_list[@]}"; do
+ check_selinux_type $appraise_type $appraise_file
+done
+
+for common_file in "${common_list[@]}"; do
+ check_selinux_type $all_type $common_file
+done
+
+if [[ $needSetSelinuxType == "true" ]]; then
+ echo "The selinux type of the target files is not configured correctly. Please execute the configuration script to set it."
+ return 0
+else
+ echo "The selinux type of the target files is configured correctly!"
+fi
+
+ima_policy=/sys/kernel/security/ima/policy
+
+if [ -z "$(cat $ima_policy)" ]; then
+ echo "IMA policy is not configured. Please execute the configuration script to configure it."
+ return 0
+fi
+
+needConfigurePolicy=false
+check_ima_policy(){
+ if ! grep -Fxq "$1" "$ima_policy"; then
+ needConfigurePolicy=true
+ fi
+}
+
+if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig"
+fi
+if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
+ check_ima_policy "measure func=DIGEST_LIST_CHECK"
+fi
+
+if [[ ${#common_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=BPRM_CHECK obj_type=${all_type}"
+ check_ima_policy "measure func=BPRM_CHECK obj_type=${all_type}"
+fi
+
+if [[ ${#measure_list[@]} -gt 0 ]]; then
+ check_ima_policy "measure func=BPRM_CHECK obj_type=${measure_type}"
+fi
+
+if [[ ${#appraise_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=BPRM_CHECK obj_type=${appraise_type}"
+fi
+
+if [[ "needConfigurePolicy" == "true" ]]; then
+ echo "IMA policy is not configured correctly! Please restart and execute the configuration script to configure it."
+ return 0
+else
+ echo "IMA policy are configured correctly! IMA has been successfully enabled"
+fi
+
echo "IMA check completed!"
{{end}}
}
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 28edbf3..e0cc3c4 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -32,7 +32,7 @@ rm_kernel_param()
{
for param in "${@}"; do
cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
sed -i "s/ \<${param}\>//g" ${grub_path}
needReboot=true
@@ -48,12 +48,12 @@ set_kernel_param()
{
for param in "${@}"; do
cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then
- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}"
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}"
needReboot=true
elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}"
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}"
elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
needReboot=true
fi
@@ -109,7 +109,7 @@ else
fi
if [[ $needReboot == "true" ]]; then
- echo "IMA startup parameters have been configured! It will take effect by rebooting"
+ echo "IMA startup parameters have been configured! It will take effect by rebooting."
return 0
fi
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index a1e0d36..9ace5e0 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -39,7 +39,7 @@ secure_boot_comm()
get_usr_input "Whether to enable the secure boot anti-rollback?【Y/N】"
if [ $? -eq 1 ]; then
mokutil --set-sbat-policy latest
- echo "The anti-rollback function has been set and will take effect after restarting."
+ echo "The anti-rollback function has been enabled and will take effect after enabling the secure boot."
fi
{{ else }}
get_usr_input "Whether to disable the secure boot anti-rollback【Y/N】"
--
2.33.0

347
fix-some-bugs.patch Normal file
View File

@ -0,0 +1,347 @@
From aa072b84261eec2f4c1faaf1f8ba177313fa0e37 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Thu, 28 Nov 2024 14:05:53 +0800
Subject: fix some bugs
---
secconf/check/check_dim | 8 +++-
secconf/check/check_secure_boot | 36 ++++++++++++--
secconf/dim.go | 6 +--
secconf/gen/gen_dim | 19 ++++----
secconf/gen/gen_ima | 4 +-
secconf/gen/gen_secure_boot | 10 ++--
secconf/gen_comm.sh | 85 +++++++++++++++++++--------------
7 files changed, 107 insertions(+), 61 deletions(-)
diff --git a/secconf/check/check_dim b/secconf/check/check_dim
index 3c392fa..bfad32d 100644
--- a/secconf/check/check_dim
+++ b/secconf/check/check_dim
@@ -23,6 +23,10 @@ dim_comm()
return 1
fi
elif [ "{{.}}" == "kernel" ]; then
+ if [ ! -f /etc/dim/digest_list/kernel.hash ]; then
+ echo "Error! The policy file doesn't match the configuration file!"
+ return 1
+ fi
grep "measure obj=KERNEL_TEXT" /etc/dim/policy &> /dev/null
if [ $? -ne 0 ]; then
echo "Error! The policy file doesn't match the configuration file!"
@@ -55,9 +59,9 @@ dim_comm()
echo "Environment doesn't support tpm, measure_pcr configuration is invalid!"
fi
{{end}}{{ if .Signature }}
- get_usr_input "openssl is about to installed?【Y/N】"
+ check_rpm_package openssl
if [ $? -eq 1 ]; then
- yum install -y openssl || exit 1
+ return 1
fi
echo "Checking whether the certificate is configured..."
if [ -f /etc/keys/x509_dim.der ]; then
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
index 905c2e0..22d5590 100644
--- a/secconf/check/check_secure_boot
+++ b/secconf/check/check_secure_boot
@@ -5,15 +5,15 @@ secure_boot_comm()
get_usr_input "The current system doesn't support secure boot!"
return 1
fi
- get_usr_input "Pesign is about to be installed?【Y/N】"
+ check_rpm_package pesign
if [ $? -eq 1 ]; then
- yum install -y pesign || exit 1
+ return 1
fi
- get_usr_input "Mokutil is about to be installed?【Y/N】"
+ check_rpm_package mokutil
if [ $? -eq 1 ]; then
- yum install -y mokutil || exit 1
+ return 1
fi
- if [ ! -f /boot/efi/EFI/secure_boot.der ]; then
+ if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
if [ $? -eq 1 ]; then
wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
@@ -34,6 +34,32 @@ secure_boot_comm()
return 1
fi
done
+ if [ -s /boot/vmlinuz-"$(uname -r)" ]; then
+ check_rpm_package gzip
+ if [ $? -eq 1 ]; then
+ return 1
+ fi
+ if [ $(arch) == "aarch64" ]; then
+ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)".gz
+ gzip -df vmlinuz-"$(uname -r)".gz
+ if [ $? -ne 0 ]; then
+ echo "failed to gzip vmlinuz, stop check"
+ rm -f vmlinuz-"$(uname -r)".gz
+ return 1
+ fi
+ else
+ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)"
+ fi
+ pesigcheck -i vmlinuz-"$(uname -r)" -n 0 -c /boot/efi/EFI/secure_boot.der
+ if [ $? -ne 0 ]; then
+ echo "$vmlinuz-"$(uname -r)" signature verification failed!"
+ else
+ echo "The kernel of the current version has been verified"
+ fi
+ rm -f vmlinuz-"$(uname -r)"
+ else
+ echo "The vmlinuz was not found, please check the signature manually"
+ fi
mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN"
if [ $? -ne 0 ]; then
diff --git a/secconf/dim.go b/secconf/dim.go
index 220abde..a37915b 100644
--- a/secconf/dim.go
+++ b/secconf/dim.go
@@ -15,12 +15,12 @@ type Dim struct {
DimIsEnable bool `default:"false" yaml:"enable"`
MeasureList []string `yaml:"measure_list"`
BaselineIsEnable bool `default:"false" yaml:"auto_baseline"`
- MeasureLogCapacity uint64 `default:"100000" yaml:"log_cap"`
+ MeasureLogCapacity uint32 `default:"100000" yaml:"log_cap"`
MeasureHash string `default:"sha256" yaml:"hash"`
CorePcr uint16 `default:"0" yaml:"core_pcr"`
MonitorPcr uint16 `default:"0" yaml:"monitor_pcr"`
- MeasureSchedule uint64 `default:"0" yaml:"schedule"`
- MeasureInterval uint64 `default:"0" yaml:"interval"`
+ MeasureSchedule uint32 `default:"0" yaml:"schedule"`
+ MeasureInterval uint32 `default:"0" yaml:"interval"`
Signature bool `default:"false" yaml:"signature"`
}
diff --git a/secconf/gen/gen_dim b/secconf/gen/gen_dim
index b310eaf..9174a92 100644
--- a/secconf/gen/gen_dim
+++ b/secconf/gen/gen_dim
@@ -1,9 +1,9 @@
dim_comm()
{
{{ with .Dim }}{{if .DimIsEnable}}
- get_usr_input "dim is about to install?【Y/N】"
+ check_rpm_package dim
if [ $? -eq 1 ]; then
- yum install -y dim || exit 1
+ return 1
fi
get_usr_input "New static baseline file and policy will be created at /etc/dim?【Y/N】"
if [ $? -eq 1 ]; then
@@ -19,14 +19,15 @@ dim_comm()
return 1
fi
- get_usr_input "dim_tools is about to install?【Y/N】"
+ check_rpm_package dim_tools
if [ $? -eq 1 ]; then
- yum install -y dim_tools || exit 1
+ return 1
fi
+ dimHash={{.MeasureHash}}
{{range .MeasureList}}
if [ -f "{{.}}" ] ; then
echo "Establishing static baseline" {{.}}
- dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash
+ dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash -a $dimHash
if [ $? -ne 0 ]; then
echo "Error! Static baseline establishment failed" {{.}}
return 1
@@ -34,7 +35,7 @@ dim_comm()
echo "measure obj=BPRM_TEXT path={{.}}" >> /etc/dim/policy
elif [ "{{.}}" == "kernel" ]; then
echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy
- dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/test.hash /boot/vmlinuz-6*
+ dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-6* -a $dimHash
if [ $? -ne 0 ]; then
echo "Kernel static baseline establishment failed"
return 1
@@ -48,7 +49,7 @@ dim_comm()
xz -d -k $moduleFilePath
moduleFilePath=${moduleFilePath%.*}
fi
- dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash
+ dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash -a $dimHash
if [ $? -ne 0 ]; then
echo "Static baseline establishment failed" {{.}}
return 1
@@ -73,9 +74,9 @@ dim_comm()
return 1
fi
{{if .Signature}}
- get_usr_input "openssl is about to install?【Y/N】"
+ check_rpm_package openssl
if [ $? -eq 1 ]; then
- yum install -y openssl || exit 1
+ return 1
fi
get_usr_input "Generate keys and certificates automatically?【Y/N】"
if [ $? -eq 1 ]; then
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 0657cdf..84d1b4b 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -16,9 +16,9 @@ measure_list+=({{.}})
needReboot=false
packages=("ima-evm-utils" "digest-list-tools")
for pkg in "${packages[@]}"; do
- get_usr_input "${pkg} is about to installed?【Y/N】"
+ check_rpm_package ${pkg}
if [ $? -eq 1 ]; then
- yum install -y ${pkg} || exit 1
+ return 1
fi
done
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index 4decd48..a1e0d36 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -3,26 +3,26 @@ secure_boot_comm()
{{ with .SecureBoot }}
{{if .SecureBootIsEnable}}
if [ ! -d /sys/firmware/efi ]; then
- get_usr_input "Error! The current environment does not support secure boot."
+ get_usr_input "The current environment does not support secure boot."
return 1
fi
- get_usr_input "mokutil is about to install?【Y/N】"
+ check_rpm_package mokutil
if [ $? -eq 1 ]; then
- yum install -y mokutil || exit 1
+ return 1
fi
mokutil --sb | grep enabled
if [ $? -ne 0 ]; then
mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN"
if [ $? -ne 0 ]; then
echo "Secure boot certificate is not saved in DB!"
- if [ -f /boot/efi/EFI/secure_boot.der ]; then
+ if [ -s /boot/efi/EFI/secure_boot.der ]; then
echo "The file already exists. Please restart and import the file to the BIOS."
else
get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
if [ $? -eq 1 ]; then
wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
if [ $? -ne 0 ]; then
- echo "Error! Certificate downloaded failed. Please obtain the certificate manually!"
+ echo "Certificate downloaded failed. Please obtain the certificate manually!"
return 1
fi
echo "The certificate download is successful. Please restart later and enter the bios, then import the certificate into the DB!"
diff --git a/secconf/gen_comm.sh b/secconf/gen_comm.sh
index f28dba7..ec19cf5 100644
--- a/secconf/gen_comm.sh
+++ b/secconf/gen_comm.sh
@@ -1,52 +1,67 @@
set_skip_usr_input=0
set_reboot=0
+check_rpm_package()
+{
+ rpm -q $1 &> /dev/null
+ if [ $? -ne 0 ]; then
+ get_usr_input "$1 is about to install?【Y/N】"
+ if [ $? -eq 1 ]; then
+ yum install -y $1 || exit 1
+ else
+ echo "The $1 does not exit, skip."
+ return 1
+ fi
+ fi
+ return 0
+}
+
get_usr_input()
{
- echo $1
- if [ $set_skip_usr_input -eq 0 ]; then
- read -r userInput
- else
- userInput=Y
- fi
+ echo $1
+ if [ $set_skip_usr_input -eq 0 ]; then
+ read -r userInput
+ else
+ userInput=Y
+ fi
- if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then
- return 0
- else
- return 1
- fi
+ if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then
+ return 0
+ else
+ return 1
+ fi
}
usage()
{
- echo "Usage: $(basename $0) [OPTION]"
- echo " -s, --skip 设置跳过询问"
- echo " -r, --run 正常执行"
- echo " -h, --help 显示帮助信息"
+ echo "Usage: $(basename $0) [OPTION]"
+ echo " -s, --skip 设置跳过询问"
+ echo " -r, --run 正常执行"
+ echo " -h, --help 显示帮助信息"
}
while true
do
- case "$1" in
- -s|--skip)
- set_skip_usr_input=1
-{{range .ShellFuns}} {{.}}
+ case "$1" in
+ -s|--skip)
+ set_skip_usr_input=1
+{{range .ShellFuns}} {{.}}
{{ end }}
- exit 0
- ;;
- -r|--run)
-{{range .ShellFuns}} {{.}}
+ exit 0
+ ;;
+ -r|--run)
+{{range .ShellFuns}} {{.}}
{{ end }}
- exit 0
- ;;
- -h|--help)
- usage
- exit $?
- ;;
- *)
- echo -e "Need Correct Arguments!\n"
- usage
- exit $LA_ERR
- ;;
- esac
+ exit 0
+ ;;
+ -h|--help)
+ usage
+ exit $?
+ ;;
+ *)
+ echo -e "Need Correct Arguments!\n"
+ usage
+ exit $LA_ERR
+ ;;
+ esac
done
--
2.33.0

22
restore-ima-selinux-type-when-perform-new-configurat.patch
View File

@ -1,17 +1,17 @@
From 7adb0853596e1ec546ef33aba26b69e31a695041 Mon Sep 17 00:00:00 2001
From: xuce <xuce10@h-partners.com>
Date: Mon, 2 Dec 2024 16:16:40 +0800
Subject: [PATCH] restore ima selinux type when perform new configuration
From c608b278f93fabdb44b41e0ad921e1f34c17fc2b Mon Sep 17 00:00:00 2001
From: xucee <xuce10@h-partners.com>
Date: Mon, 2 Dec 2024 15:30:25 +0800
Subject: restore ima selinux type when perform new ima
configuration
Signed-off-by: xuce <xuce10@h-partners.com>
---
secpaver-secconf-1.0.0/secconf/gen/gen_ima | 73 ++++++++++++----------
secconf/gen/gen_ima | 73 +++++++++++++++++++++++++--------------------
1 file changed, 40 insertions(+), 33 deletions(-)
diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
index a657614..d40dce6 100644
--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 84d1b4b..28edbf3 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -14,7 +14,7 @@ measure_list+=({{.}})
{{end}}
@ -19,7 +19,7 @@ index a657614..d40dce6 100644
-packages=("ima-evm-utils" "digest-list-tools")
+packages=("ima-evm-utils" "digest-list-tools" "selinux-policy" "selinux-policy-targeted" "policycoreutils")
for pkg in "${packages[@]}"; do
get_usr_input "${pkg} is about to installed?【Y/N】"
check_rpm_package ${pkg}
if [ $? -eq 1 ]; then
@@ -33,14 +33,14 @@ rm_kernel_param()
for param in "${@}"; do

36
secpaver.spec
View File

@ -1,26 +1,32 @@
%define secconf_pck secpaver-secconf-1.0.0
Name: secpaver
Summary: Security policy development tool
Version: 1.0.2
Release: 14
Release: 15
License: MulanPSL-2.0
URL: https://gitee.com/openeuler/secpaver
Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz
#source1 version sys@v0.0.0-20220908164124-27713097b956
Source1: sys.tar.gz
Source2: secpaver-secconf-1.0.0.zip
Source2: %{secconf_pck}.zip
Patch0001: dont-do-daemon-reload-in-make-install.patch
Patch0002: set-default-log-path.patch
Patch0003: support-clang-build.patch
Patch0004: fix-go-build-ref-cldflags.patch
Patch0005: remove-unused-socket.patch
Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch
Patch0007: restore-ima-selinux-type-when-perform-new-configurat.patch
%ifarch riscv64 loongarch64
Patch1000: 1000-fix-build-on-riscv64.patch
%endif
# secconf
Patch2000: Add-example-of-how-to-import-digest-list-when-using-.patch
Patch2001: fix-some-bugs.patch
Patch2002: restore-ima-selinux-type-when-perform-new-configurat.patch
Patch2003: extend-check_ima-to-check-whether-gen_ima-is-right.patch
Patch2004: add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch
BuildRequires: golang make systemd
Requires: %{name}-plugin = %{version}-%{release}
@ -59,25 +65,30 @@ unzip %{SOURCE2}
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
%patch0007 -p1
%ifarch riscv64 loongarch64
%patch1000 -p1
%endif
# secconfg
cd ./%{secconf_pck}
%patch2000 -p1
%patch2001 -p1
%patch2002 -p1
%patch2003 -p1
%patch2004 -p1
%build
%make_build everything
cd ./secpaver-secconf-1.0.0
cd ./%{secconf_pck}
make
%install
%make_install DESTDIR="%{buildroot}"
cd ./secpaver-secconf-1.0.0
cd ./%{secconf_pck}
%make_install DESTDIR="%{buildroot}"
%check
cd ./secpaver-secconf-1.0.0
cd ./%{secconf_pck}
make test
%files
@ -119,6 +130,9 @@ make test
%systemd_postun_with_restart pavd.service
%changelog
* Tue Dec 10 2024 jinlun <jinlun@huawei.com> - 1.0.2-15
- fix some bugs
* Mon Dec 2 2024 xuce <xuce10@h-partners.com> - 1.0.2-14
- restore ima selinux type when perform new configuration