diff options
| author | Leon Anavi <leon.anavi@konsulko.com> | 2024-01-31 16:28:57 +0200 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-02-20 07:40:39 -0500 |
| commit | d444b7d7dad2c3b7c86b17dc0eff3500111b427f (patch) | |
| tree | 33faae4b943af79414c254ea52b74b6f15d8e1e4 | |
| parent | 3791852532a73b773057ca745679c173e14e9998 (diff) | |
| download | meta-security-d444b7d7dad2c3b7c86b17dc0eff3500111b427f.tar.gz | |
linux-yocto%.bbappend: Add audit.cfg
Add audit.cfg configuration fragment. By default it is not appended
to SRC_URI. It allows enabling the audit kernel subsystem which may
help to debug appraisal issues. Boot with "integrity_audit=1" to
capture a more complete set of events in /var/log/audit/.
Previously the same configuration fragment was provided by layer
meta-security-framework but it is no longer maintained therefore it
makes sense to have audit.cfg in layer meta-integrity.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-integrity/README.md | 8 | ||||
| -rw-r--r-- | meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend | 2 | ||||
| -rw-r--r-- | meta-integrity/recipes-kernel/linux/linux/audit.cfg | 2 |
3 files changed, 10 insertions, 2 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 1a37280..2f30e78 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
| @@ -219,12 +219,16 @@ executing the file is no longer allowed: | |||
| 219 | -sh: /usr/bin/rpm: Permission denied | 219 | -sh: /usr/bin/rpm: Permission denied |
| 220 | 220 | ||
| 221 | Enabling the audit kernel subsystem may help to debug appraisal | 221 | Enabling the audit kernel subsystem may help to debug appraisal |
| 222 | issues. Enable it by adding the meta-security-framework layer and | 222 | issues. Enable it by adding a kernel configuration fragment and |
| 223 | changing your local.conf: | 223 | changing your local.conf: |
| 224 | SRC_URI:append:pn-linux-yocto = " file://audit.cfg" | 224 | SRC_URI:append:pn-linux-yocto = " file://audit.cfg" |
| 225 | CORE_IMAGE_EXTRA_INSTALL += "auditd" | 225 | CORE_IMAGE_EXTRA_INSTALL += "auditd" |
| 226 | 226 | ||
| 227 | Then boot with "ima_appraise=log ima_appraise_tcb". | 227 | Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1". |
| 228 | For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND | ||
| 229 | in your local.conf: | ||
| 230 | QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix" | ||
| 231 | QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1" | ||
| 228 | 232 | ||
| 229 | Adding auditd is not strictly necessary but helps to capture a | 233 | Adding auditd is not strictly necessary but helps to capture a |
| 230 | more complete set of events in /var/log/audit/ and search in | 234 | more complete set of events in /var/log/audit/ and search in |
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend index be60bfe..9c599aa 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend | |||
| @@ -1 +1,3 @@ | |||
| 1 | FILESEXTRAPATHS:prepend := "${THISDIR}/linux:" | ||
| 2 | |||
| 1 | require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} | 3 | require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} |
diff --git a/meta-integrity/recipes-kernel/linux/linux/audit.cfg b/meta-integrity/recipes-kernel/linux/linux/audit.cfg new file mode 100644 index 0000000..214dbe3 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/audit.cfg | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | CONFIG_AUDIT=y | ||
| 2 | CONFIG_AUDITSYSCALL=y | ||