oss-sec mailing list archives
Re: IMA gadgets
From: Travis Finkenauer <tmfink () juniper net>
Date: Wed, 1 Dec 2021 18:40:59 +0000
On Dec 1, 2021, at 12:06 AM, Johannes Segitz <jsegitz () suse de> wrote: From a security POV it doesn't help much (on a normal Linux system, can be different if you really strip it down).
I agree. It's difficult to add an IMA-like security policy that is both effective and general-purpose. But, if you don't care about your system being general-purpose, IMA can be useful on "locked-down vendor systems". If you can use IMA to enforce a "write XOR execute" policy on a filesystem, then you could have separate filesystems for executable code and writeable config. For example, you could: 1) Have your executable code in a read-only squashfs filesystem. Use IMA to enforce only signed binaries will run. 2) Put writeable data in a "noexec" filesystem. 3) Lock-down (or remove) interpreters (python, perl, bash, etc.) that could "execute" data whose provenance does not come from a signed, read-only filesystem. Such a locked-down setup provides some security by trying to ensure only vendor-provided code is executed. But, this setup is probably not suitable for a general-purpose end-user system. -Travis
Current thread:
- IMA gadgets Florian Weimer (Nov 30)
- Re: IMA gadgets Grant Taylor (Dec 01)
- Re: IMA gadgets Jens Timmerman (Dec 01)
- Re: IMA gadgets Johannes Segitz (Dec 01)
- Re: IMA gadgets Travis Finkenauer (Dec 01)
- Re: IMA gadgets Grant Taylor (Dec 01)