Fapolicyd IMA integrity check scenario

[Koncpa]

No description provided.

[Koncpa]

Hi @sopos have question for you I noticed that fapolicyd integrity check with IMA allow executing binary after cat fapTestProgram > /usr/local/bin/fapTestProgram. But when I check and update IMA extended attributes it seem that hash is changed.

:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'cat fapTestProgram > /usr/local/bin/fapTestProgram'
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'cat fapTestProgram > /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram'
getfattr: Removing leading '/' from absolute path names
file: usr/local/bin/fapTestProgram
security.ima=0x040429209638bae3f3375e33b7af99d571dad39531e525af6ed7c579271eb1d575d0
security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'evmctl ima_hash -a sha256 /usr/local/bin/fapTestProgram'
hash(sha256): 040464e508443d30e995125aa9f34aaa93124771c40a80ff132860f44c69361e8481
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'evmctl ima_hash -a sha256 /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram'
getfattr: Removing leading '/' from absolute path names
file: usr/local/bin/fapTestProgram
security.ima=0x040464e508443d30e995125aa9f34aaa93124771c40a80ff132860f44c69361e8481
security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000
:: [ 03:32:21 ] :: [   PASS   ] :: Command 'getfattr -m - -d -e hex /usr/local/bin/fapTestProgram' (Expected 0, got 0)
:: [ 03:32:21 ] :: [  BEGIN   ] :: Running 'timeout 2 su - testuser1 -c "/usr/local/bin/fapTestProgram"'
fapTestProgram2
Session terminated, killing shell... ...killed.
:: [ 03:32:25 ] :: [   FAIL   ] :: Command 'timeout 2 su - testuser1 -c "/usr/local/bin/fapTestProgram"' (Expected 126, got 124)

Is this behavior normal or have I encountered a bug? Just FYI, when you use the sha256 integrity check, fapolicyd refuses to run the binary in the same step.

[sopos]

That really seems to be a bug. Though, it is suspicious that the fapTestProgram does not print the fapTestProgram string.

[Koncpa]

That really seems to be a bug. Though, it is suspicious that the fapTestProgram does not print the fapTestProgram string.

But probably that's not related issue, when I provide integrity check via sha256 the output fapTestProgram also does not print the fapTestProgram string.

[sopos]

But probably that's not related issue, when I provide integrity check via sha256 the output fapTestProgram also does not print the fapTestProgram string.

Seems it could be just by terminal handling. If I run tmt in --interactive I can see the strings while in the normal mode I cannot. May be using unbuffer or something like that could improve it.

[Koncpa]

But probably that's not related issue, when I provide integrity check via sha256 the output fapTestProgram also does not print the fapTestProgram string.

Seems it could be just by terminal handling. If I run tmt in --interactive I can see the strings while in the normal mode I cannot. May be using unbuffer or something like that could improve it.

Weird, I also use interactive mode and cannot see anything.

tmt run -vvv plan -n ima-integrity discover prepare provision -h connect --guest IP --password PASSWD execute --how tmt --interactive login finish

[Koncpa]

That really seems to be a bug. Though, it is suspicious that the fapTestProgram does not print the fapTestProgram string.

Anyways I'll try it on various version of OS and report it.

[sopos]

seems sane to me, LGTM

[Koncpa]

Change for now for debuging.

[Koncpa]

Test work properly with different IMA setup, but in previous IMA setup bug persist.