diff options
author | Leon Anavi <leon.anavi@konsulko.com> | 2024-01-31 16:28:57 +0200 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-02-20 07:40:39 -0500 |
commit | d444b7d7dad2c3b7c86b17dc0eff3500111b427f (patch) | |
tree | 33faae4b943af79414c254ea52b74b6f15d8e1e4 /meta-integrity/README.md | |
parent | 3791852532a73b773057ca745679c173e14e9998 (diff) | |
download | meta-security-d444b7d7dad2c3b7c86b17dc0eff3500111b427f.tar.gz |
linux-yocto%.bbappend: Add audit.cfg
Add audit.cfg configuration fragment. By default it is not appended
to SRC_URI. It allows enabling the audit kernel subsystem which may
help to debug appraisal issues. Boot with "integrity_audit=1" to
capture a more complete set of events in /var/log/audit/.
Previously the same configuration fragment was provided by layer
meta-security-framework but it is no longer maintained therefore it
makes sense to have audit.cfg in layer meta-integrity.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-integrity/README.md')
-rw-r--r-- | meta-integrity/README.md | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 1a37280..2f30e78 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
@@ -219,12 +219,16 @@ executing the file is no longer allowed: | |||
219 | -sh: /usr/bin/rpm: Permission denied | 219 | -sh: /usr/bin/rpm: Permission denied |
220 | 220 | ||
221 | Enabling the audit kernel subsystem may help to debug appraisal | 221 | Enabling the audit kernel subsystem may help to debug appraisal |
222 | issues. Enable it by adding the meta-security-framework layer and | 222 | issues. Enable it by adding a kernel configuration fragment and |
223 | changing your local.conf: | 223 | changing your local.conf: |
224 | SRC_URI:append:pn-linux-yocto = " file://audit.cfg" | 224 | SRC_URI:append:pn-linux-yocto = " file://audit.cfg" |
225 | CORE_IMAGE_EXTRA_INSTALL += "auditd" | 225 | CORE_IMAGE_EXTRA_INSTALL += "auditd" |
226 | 226 | ||
227 | Then boot with "ima_appraise=log ima_appraise_tcb". | 227 | Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1". |
228 | For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND | ||
229 | in your local.conf: | ||
230 | QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix" | ||
231 | QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1" | ||
228 | 232 | ||
229 | Adding auditd is not strictly necessary but helps to capture a | 233 | Adding auditd is not strictly necessary but helps to capture a |
230 | more complete set of events in /var/log/audit/ and search in | 234 | more complete set of events in /var/log/audit/ and search in |