packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secpaver/extend-check_ima-to-check-whether-gen_ima-is-right.patch
jinlun 58a2ac093d fix some bugs
2024-12-10 14:11:16 +08:00

266 lines
9.9 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 3287a6ffcf77ac5d328994610dc40e267e800ba2 Mon Sep 17 00:00:00 2001
From: xucee <xuce10@h-partners.com>
Date: Thu, 5 Dec 2024 16:15:19 +0800
Subject: extend check_ima to check whether gen_ima is right.
---
secconf/check/check_ima | 181 +++++++++++++++++++++++++++++++++++-
secconf/gen/gen_ima | 10 +-
secconf/gen/gen_secure_boot | 2 +-
3 files changed, 184 insertions(+), 9 deletions(-)
diff --git a/secconf/check/check_ima b/secconf/check/check_ima
index cb5de0d..613d75e 100644
--- a/secconf/check/check_ima
+++ b/secconf/check/check_ima
@@ -1,9 +1,7 @@
ima_comm()
{
{{with .IMA}}
-{{ if and (eq (len .MeasureList) 0) (eq (len .AppraiseList) 0) }}
-echo "IMA is not enabled!"
-{{else}}
+
if [ ! -d /etc/ima/ ]; then
echo "The /etc/ima/ directory does not exist. Please confirm whether IMA is supported."
return 1
@@ -12,7 +10,184 @@ if [[ "$(getenforce)" == "Disabled" ]]; then
echo "IMA requires selinux to protect specific files. Please make sure selinux is enabled!"
return 1
fi
+
+measure_list=()
+appraise_list=()
+common_list=()
+
+{{range .AppraiseList}}
+appraise_list+=({{.}})
{{end}}
+
+{{range .MeasureList}}
+measure_list+=({{.}})
+{{end}}
+
+if [ -d /sys/firmware/efi ]; then
+ grub_path=/boot/efi/EFI/openeuler/grub.cfg
+else
+ grub_path=/boot/grub2/grub.cfg
+fi
+
+appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata")
+measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng")
+measure_type=ima_measure_bprm_t
+appraise_type=ima_appraise_bprm_t
+all_type=ima_all_bprm_t
+needReboot=false
+needConfigure=false
+
+check_exist_kernel_param()
+{
+ for param in "${@}"; do
+ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
+ if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then
+ needReboot=true
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+ needReboot=true
+ fi
+ done
+}
+
+check_absent_kernel_param()
+{
+ for param in "${@}"; do
+ cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
+ if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
+ needReboot=true
+ needConfigure=true
+ elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+ needReboot=true
+ elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+ needConfigure=true
+ fi
+ done
+}
+
+if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+ check_absent_kernel_param "${appraise_param[@]}"
+ check_absent_kernel_param "${measure_param[@]}"
+elif [[ ${#appraise_list[@]} -gt 0 && ${#measure_list[@]} -gt 0 ]]; then
+ check_exist_kernel_param "${appraise_param[@]}"
+ check_exist_kernel_param "${measure_param[@]}"
+elif [[ ${#appraise_list[@]} -gt 0 ]]; then
+ check_absent_kernel_param "${measure_param[@]}"
+ check_exist_kernel_param "${appraise_param[@]}"
+else
+ check_absent_kernel_param "${appraise_param[@]}"
+ check_exist_kernel_param "${measure_param[@]}"
+fi
+
+if [[ "$needReboot" == "true" && "$needConfigure" == "true" ]]; then
+ echo "The current IMA related startup parameters are not configured correctly. Please execute the configuration script and then restart to take effect."
+ return 0
+elif [[ "$needReboot" == "true" && "$needConfigure" == "false" ]]; then
+ echo "The current IMA related startup parameters have been successfully configured. It needs to restart to take effect."
+ return 0
+elif [[ "$needReboot" == "false" && "$needConfigure" == "true" ]]; then
+ echo "The current IMA related start up parameters are valid. But they will become invalid after restarting. It needs to execute configuration script to configure."
+else
+ echo "The current IMA related start up parameters are valid and configured correctly!"
+fi
+
+if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+ echo "IMA check completed!"
+ return 0
+fi
+
+needSetSelinuxType=false
+check_selinux_type()
+{
+ SELINUX_LABEL=$(ls -Z "$2" | awk '{print $1}' | awk -F: '{print $3}')
+ if [[ $SELINUX_LABEL != "$1" ]]; then
+ needSetSelinuxType=true
+ fi
+}
+
+unique() {
+ echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' '
+}
+
+common_elements() {
+ comm -12 <(printf "%s\n" $1 | sort) <(printf "%s\n" $2 | sort)
+}
+
+remove_common() {
+ grep -Fvxf <(printf "%s\n" $2) <(printf "%s\n" $1)
+}
+
+unique_appraise_list=($(unique "${appraise_list[@]}"))
+unique_measure_list=($(unique "${measure_list[@]}"))
+common_list=($(common_elements "${unique_appraise_list[*]}" "${unique_measure_list[*]}"))
+appraise_list=($(remove_common "${unique_appraise_list[*]}" "${common_list[*]}"))
+measure_list=($(remove_common "${unique_measure_list[*]}" "${common_list[*]}"))
+
+
+for measure_file in "${measure_list[@]}"; do
+ check_selinux_type $measure_type $measure_file
+done
+
+for appraise_file in "${appraise_list[@]}"; do
+ check_selinux_type $appraise_type $appraise_file
+done
+
+for common_file in "${common_list[@]}"; do
+ check_selinux_type $all_type $common_file
+done
+
+if [[ $needSetSelinuxType == "true" ]]; then
+ echo "The selinux type of the target files is not configured correctly. Please execute the configuration script to set it."
+ return 0
+else
+ echo "The selinux type of the target files is configured correctly!"
+fi
+
+ima_policy=/sys/kernel/security/ima/policy
+
+if [ -z "$(cat $ima_policy)" ]; then
+ echo "IMA policy is not configured. Please execute the configuration script to configure it."
+ return 0
+fi
+
+needConfigurePolicy=false
+check_ima_policy(){
+ if ! grep -Fxq "$1" "$ima_policy"; then
+ needConfigurePolicy=true
+ fi
+}
+
+if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig"
+fi
+if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
+ check_ima_policy "measure func=DIGEST_LIST_CHECK"
+fi
+
+if [[ ${#common_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=BPRM_CHECK obj_type=${all_type}"
+ check_ima_policy "measure func=BPRM_CHECK obj_type=${all_type}"
+fi
+
+if [[ ${#measure_list[@]} -gt 0 ]]; then
+ check_ima_policy "measure func=BPRM_CHECK obj_type=${measure_type}"
+fi
+
+if [[ ${#appraise_list[@]} -gt 0 ]]; then
+ check_ima_policy "appraise func=BPRM_CHECK obj_type=${appraise_type}"
+fi
+
+if [[ "needConfigurePolicy" == "true" ]]; then
+ echo "IMA policy is not configured correctly! Please restart and execute the configuration script to configure it."
+ return 0
+else
+ echo "IMA policy are configured correctly! IMA has been successfully enabled"
+fi
+
echo "IMA check completed!"
{{end}}
}
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 28edbf3..e0cc3c4 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -32,7 +32,7 @@ rm_kernel_param()
{
for param in "${@}"; do
cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
sed -i "s/ \<${param}\>//g" ${grub_path}
needReboot=true
@@ -48,12 +48,12 @@ set_kernel_param()
{
for param in "${@}"; do
cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
- grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+ grub_contains_param=$(grep "/vmlinuz-$(uname -r)" "${grub_path}" | grep -q "${param}" && echo "true" || echo "false")
if [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "false" ]]; then
- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}"
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}"
needReboot=true
elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
- sed -i "/vmlinuz/ s/$/ ${param}/" "${grub_path}"
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ ${param}/" "${grub_path}"
elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
needReboot=true
fi
@@ -109,7 +109,7 @@ else
fi
if [[ $needReboot == "true" ]]; then
- echo "IMA startup parameters have been configured! It will take effect by rebooting"
+ echo "IMA startup parameters have been configured! It will take effect by rebooting."
return 0
fi
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index a1e0d36..9ace5e0 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -39,7 +39,7 @@ secure_boot_comm()
get_usr_input "Whether to enable the secure boot anti-rollback?【Y/N】"
if [ $? -eq 1 ]; then
mokutil --set-sbat-policy latest
- echo "The anti-rollback function has been set and will take effect after restarting."
+ echo "The anti-rollback function has been enabled and will take effect after enabling the secure boot."
fi
{{ else }}
get_usr_input "Whether to disable the secure boot anti-rollback【Y/N】"
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink