ima

Manages IMA

Project URL RSS Feed Report issues

Module Stats

7,192 downloads

87 latest version

5.0 quality score

Version information

released Jul 16th 2024

This version is compatible with:

Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
Puppet >= 7.0.0 < 9.0.0
, , , ,

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'simp-ima', '0.8.1'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-ima

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-ima --version 0.8.1

Tags: simp, ima

Documentation

simp/ima — version 0.8.1 Jul 16th 2024

Description
Setup - The basics of getting started with ima
- What ima affects
- Beginning with ima
Usage - Configuration options and additional functionality
Reference - An under-the-hood peek at what the module is doing and how
Limitations - OS compatibility, etc.
Development - Guide for contributing to the module
- Acceptance Tests - Beaker env variables

Description

This module manages the Integrity Management Architecture (IMA), a tool that verifies the integrity of the system, based on filesystem and file hashes. The IMA class sets up IMA kernel boot flags if they are not enabled and when they are, mounts the securityfs. This module can manage the IMA policy, although modifying the policy incorrectly could cause your system to become read-only.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the $enable_* and $manage_* parameters in manifests/init.pp for details.

Setup

What ima affects

WARNING

Inserting poorly-formed or incorrect policy into the IMA policy file could cause your system to become read-only. This can be temporarily remedied by rebooting and setting ima_appraise to fix in the kernel command line parameters. This is the current case with the way the module manages the policy and it is not recommended to use this section of the module at this time.

This module will:

Enable IMA on the host
(OPTIONAL) Manage the IMA policy (BROKEN - See Limitations)

Beginning with the IMA module

classes:
  - ima::appraise
  - ima::policy

To remove IMA, first disable components by adding this to hiera:

ima::policy::enable: false
ima::appraise::enable: false
ima::enable: false

This removes systems parameters managed IMA. The classes can then be removed.

Usage

Reference

Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the file metadata.json for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

The default configuration of this module updates EFI boot parameters if they are present. If the system relies upon BIOS for boot, ensure there is not an EFI grub.cfg or grub2.cfg present or the BIOS grub config file will not be updated.

The current RedHat implementation of IMA does not seem to work after inserting our default policy (generated example in spec/files/default_ima_policy.conf). It causes the system to become read-only, even though it is only using supported configuration elements. The module will be updated soon with more sane defaults to allow for at least the minimal amount of a system to be measured.

To get started, include the ima::policy class and set these parameters. From there, they can be changed to true on one by one:

ima::policy::measure_root_read_files: false
ima::policy::measure_file_mmap: false
ima::policy::measure_bprm_check: false
ima::policy::measure_module_check: false
ima::policy::appraise_fowner: false

Development

Please read our Contribution Guide

Acceptance tests

To run the system tests, you need Vagrant installed.

You can then run the following to execute the acceptance tests:

   bundle exec rake beaker:suites

Some environment variables may be useful:

   BEAKER_debug=true
   BEAKER_provision=no
   BEAKER_destroy=no
   BEAKER_use_fixtures_dir_for_modules=yes

BEAKER_debug: show the commands being run on the STU and their output.
BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.

Reference

Classes

ima: Sets up IMA kernel boot flags if they are not enabled, and mounts the securityfs when they are.
ima::appraise: Manage IMA Appraisal To enable IMA appraisal first make sure all your locally mounted file systems with root files on them are mounted with
ima::appraise::fixmode: set the ima appraise mode to fix
ima::appraise::relabel: This module executes the script to label the files systems with the security.ima attributes and if it is complete, adds resources to set im
ima::policy: Manage IMA Policy * The term watch, as used here, means both IMA policy fields dont_measure and dont_appraise. Both lines

Data types

Ima::Template

Classes

`ima`

Sets up IMA kernel boot flags if they are not enabled, and mounts the securityfs when they are.

Parameters

The following parameters are available in the ima class:

enable
mount_dir
ima_audit
ima_template
ima_hash
ima_tcb
log_max_size
ima_tcb
log_max_size

`enable`

Data type: Boolean

Enable IMA on the system

Default value: true

`mount_dir`

Data type: Stdlib::AbsolutePath

Where to mount the IMA securityfs

Default value: '/sys/kernel/security'

`ima_audit`

Data type: Boolean

Audit control. Can be set to: true - Enable additional integrity auditing messages false - Enable integrity auditing messages (default)

Default value: false

`ima_template`

Data type: Ima::Template

A predefined IMA measurement template format.

NOTE: This is only valid in kernel version >= 3.13. It is always ima in older versions.

Default value: 'ima-ng'

`ima_hash`

Data type: String[1]

The list of supported hashes can be found in crypto/hash_infotru.h

Default value: 'sha256'

`ima_tcb`

Data type: Boolean

Toggle the TCB policy. This means IMA will measure all programs exec'd, files mmap'd for exec, and all file opened for read by uid=0. Defaults to true.

Default value: true

`log_max_size`

Data type: Integer[1]

The size of the /sys/kernel/security/ima/ascii_runtime_measurements, in bytes, that will cause a reboot notification will be sent to the user.

Default value: 30000000

`ima_tcb`

Toggle the TCB policy

IMA will measure all programs called via exec, files copied via mmap, and all files opened by uid=0.

Default value: true

`log_max_size`

The size of /sys/kernel/security/ima/ascii_runtime_measurements, in bytes, that will cause a reboot notification will be sent to the user.

Default value: 30000000

`ima::appraise`

Manage IMA Appraisal

To enable IMA appraisal first make sure all your locally mounted file systems with root files on them are mounted with i_version option.

(TODO: check for this and set if possible)

Then include the ima::appraise module in your classes.

It is also recommended, although not necessary, to enable the management of the ima

policy by including the `ima::policy` module in you classes because the default

policy is over zealous

When puppet runs it will configure the system to reboot into ima_appraise mode fix.

The system will then need to be rebooted and will notify with an ima_appraise_fix_reboot notice.

When the system is rebooted it will be in fix mode and it will label all the files with the required security.ima filesystem attribute. This takes a while. Puppet will notify not to reboot until this script completes. Puppet will notify with an ima_appraise_enforce_reboot notice when the script completes.

When the system is rebooted it will boot into ima_appraisal in enforce mode.

If you need to update files after the system has been in enforce mode:

Set ima::appraise::force_fixmode to true,
Run puppet and reboot when prompted.

When you have completed the upgrade, run the script /usr/local/bin/ima_security_attr_update.sh.

When the completes, set force_fixmode back to false, rerun puppet, and reboot when prompted.

Troubleshooting:

If you reboot and are getting SELinux errors or you do not have permissions to access your files then you probably forgot to set i_version on your mounts in /etc/fstab.
If you reboot and it won't load the initramfs then the dracut update didn't run. You can fix this by rebooting without the ima kernel settings, running dracut -f and then rebooting in ima appraise mode.
See also
- https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
- Kernel
  - documentation Documentation/ABI/testing/ima_policy
- https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/Documentation/ABI/testing/ima_policy?id=refs/tags/v3.10.103

Parameters

The following parameters are available in the ima::appraise class:

enable
relabel_file
scriptdir
force_fixmode
ensure_packages

`enable`

Data type: Boolean

Enable IMA appraise capability. Setting to false will remove IMA appraise boot settings from the system.

Default value: true

`relabel_file`

Data type: Stdlib::AbsolutePath

The file to touch when the file system needs relabeling

Default value: "${facts['puppet_vardir']}/simp/.ima_relabel"

`scriptdir`

Data type: Stdlib::AbsolutePath

The directory to place scripts.

Default value: '/usr/local/bin'

`force_fixmode`

Data type: Boolean

This will force the system into fix_mode so you can update files and then relabel the system - requires a reboot.

Default value: false

`ensure_packages`

Data type: Simplib::PackageEnsure

Ensure setting for all packages installed by this module

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

`ima::appraise::fixmode`

set the ima appraise mode to fix

Parameters

The following parameters are available in the ima::appraise::fixmode class:

relabel_file
relabel

`relabel_file`

Data type: StdLib::AbsolutePath

`relabel`

Data type: Boolean

`ima::appraise::relabel`

This module executes the script to label the files systems with the security.ima attributes and if it is complete, adds resources to set ima_appraise to enforce mode.

When a the file system needs to be labeled a file, relabel file is created in the appraise class. If this file exists then the script to relabel the files is called and passed the file name. The script will remove the file when it is complete.

The fact ima_security checks the status of the file and also checks if the script is running. If the script is active, no resources are created, if the relabel file exists and and the script is not active, it launches the script if the file does not exist, it calls the class to create the resources for setting the system into enforce mode.

@param relabel_file The location of the file that that indicates a labeling of the file system is needed.

@param scriptdir The directory containing the scripts.

Parameters

The following parameters are available in the ima::appraise::relabel class:

relabel_file
scriptdir

`relabel_file`

Data type: Stdlib::AbsolutePath

`scriptdir`

Data type: Stdlib::AbsolutePath

Default value: $ima::appraise::scriptdir

`ima::policy`

Manage IMA Policy

The term watch, as used here, means both IMA policy fields dont_measure and dont_appraise. Both lines will be dropped for each entry here.
See also
- https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
- Kernel
  - documentation Documentation/ABI/testing/ima_policy
- https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/Documentation/ABI/testing/ima_policy?id=refs/tags/v3.10.103

Parameters

The following parameters are available in the ima::policy class:

manage
dont_watch_proc
dont_watch_sysfs
dont_watch_debugfs
dont_watch_tmpfs
dont_watch_ramfs
dont_watch_securityfs
dont_watch_devpts
dont_watch_binfmtfs
dont_watch_selinux
dont_watch_nfs
dont_watch_cgroup
dont_watch_initrc_var_log_t
dont_watch_rpm_var_cache_t
dont_watch_puppet_log_t
dont_watch_auditd_log_t
dont_watch_auth_cache_t
dont_watch_fsadm_log_t
dont_watch_rsync_log_t
dont_watch_getty_log_t
dont_watch_nscd_log_t
dont_watch_cron_log_t
dont_watch_lastlog_t
dont_watch_var_log_t
dont_watch_wtmp_t
dont_watch_list
measure_root_read_files
measure_file_mmap
measure_bprm_check
measure_module_check
appraise_fowner

Default value: []

`measure_root_read_files`

Data type: Boolean

Monitor all files opened by root

Default value: false

`measure_file_mmap`

Data type: Boolean

Monitor all files mmapped executable in file_mmap

Default value: false

`measure_bprm_check`

Data type: Boolean

Monitor all executables in bprm_check

Default value: false

`measure_module_check`

Data type: Boolean

Default value: false

`appraise_fowner`

Data type: Boolean

Appraises all files owned by root

Default value: false

Data types

`Ima::Template`

The Ima::Template data type.

Alias of Enum['ima', 'ima-ng', 'ima-sig']

pupmod-simp-ima - A Puppet Module for managing the IMA

--

Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.

The US Government retains the right to pursue copyright protections outside of
the United States.

The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.

---

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

ima

Version information

This version is compatible with:

Start using this module

Documentation

Table of Contents

Description

This is a SIMP module

Setup

What ima affects

Beginning with the IMA module

Usage

Reference

Limitations

Development

Acceptance tests

Reference

Table of Contents

Classes

Data types

Classes

ima

Parameters

enable

mount_dir

ima_audit

ima_template

ima_hash

ima_tcb

log_max_size

ima_tcb

log_max_size

ima::appraise

It is also recommended, although not necessary, to enable the management of the ima

policy by including the ima::policy module in you classes because the default

policy is over zealous

Parameters

enable

relabel_file

scriptdir

force_fixmode

ensure_packages

ima::appraise::fixmode

Parameters

relabel_file

relabel

ima::appraise::relabel

Parameters

relabel_file

scriptdir

ima::policy

Parameters

manage

dont_watch_proc

dont_watch_sysfs

dont_watch_debugfs

dont_watch_tmpfs

dont_watch_ramfs

dont_watch_securityfs

dont_watch_devpts

dont_watch_binfmtfs

dont_watch_selinux

dont_watch_nfs

dont_watch_cgroup

dont_watch_initrc_var_log_t

dont_watch_rpm_var_cache_t

dont_watch_puppet_log_t

dont_watch_auditd_log_t

dont_watch_auth_cache_t

dont_watch_fsadm_log_t

dont_watch_rsync_log_t

`ima`

`enable`

`mount_dir`

`ima_audit`

`ima_template`

`ima_hash`

`ima_tcb`

`log_max_size`

`ima_tcb`

`log_max_size`

`ima::appraise`

policy by including the `ima::policy` module in you classes because the default

`enable`

`relabel_file`

`scriptdir`

`force_fixmode`

`ensure_packages`

`ima::appraise::fixmode`

`relabel_file`

`relabel`

`ima::appraise::relabel`

`relabel_file`

`scriptdir`

`ima::policy`

`manage`

`dont_watch_proc`

`dont_watch_sysfs`

`dont_watch_debugfs`

`dont_watch_tmpfs`

`dont_watch_ramfs`

`dont_watch_securityfs`

`dont_watch_devpts`

`dont_watch_binfmtfs`

`dont_watch_selinux`

`dont_watch_nfs`

`dont_watch_cgroup`

`dont_watch_initrc_var_log_t`

`dont_watch_rpm_var_cache_t`

`dont_watch_puppet_log_t`

`dont_watch_auditd_log_t`

`dont_watch_auth_cache_t`

`dont_watch_fsadm_log_t`

`dont_watch_rsync_log_t`

`dont_watch_getty_log_t`

`dont_watch_nscd_log_t`

`dont_watch_cron_log_t`

`dont_watch_lastlog_t`

`dont_watch_var_log_t`

`dont_watch_wtmp_t`

`dont_watch_list`

`measure_root_read_files`

`measure_file_mmap`

`measure_bprm_check`

`measure_module_check`

`appraise_fowner`

`Ima::Template`