#!/usr/bin/bash # # This script helps set up IMA. # IMA_SYSTEMD_POLICY=/etc/ima/ima-policy IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy usage() { echo "Set up IMA." cat <reinstall_threshold packages in the RPM DB missing IMA signatures, reinstalling the packages to add IMA signatures to the packages. By default, IMA sigatures will be obtained from the RPM DB. However the RPM DB may not have the signatures. Dectect this case by checking if there are >reinstall_threshold package missing IMA signatures. EOF exit 1 } for _opt in "$@"; do case "$_opt" in --policy=*) ima_policy_path=${_opt#*=} if [[ ! -e $ima_policy_path ]]; then echo "$policy_file doesn't exist" exit 1 fi ;; --reinstall_threshold=*) reinstall_threshold=${_opt#*=} ;; *) usage ;; esac done if [[ $# -eq 0 ]]; then usage fi echo "Installing prerequisite package rpm-plugin-ima" if ! dnf install rpm-plugin-ima -yq; then echo "Failed to install rpm-plugin-ima, abort" exit 1 fi # Add IMA signatures if test -f /run/ostree-booted; then echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process." else echo "Adding IMA signatures to installed package files" if ! ima-add-sigs; then echo "Failed to add IMA signatures, abort" exit 1 fi fi load_ima_keys() { local _key_loaded if line=$(keyctl describe %keyring:.ima); then _ima_id=${line%%:*} else echo "Failed to get ID of the .ima keyring" exit 1 fi for i in /etc/keys/ima/*; do if [ ! -f "${i}" ]; then echo "No IMA key exist" exit 1 fi if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then echo "Failed to load IMA key ${i}" else _key_loaded=yes fi done if [[ $_key_loaded != yes ]]; then echo "No IMA key loaded" exit 1 fi } load_ima_policy() { local ima_policy_path ima_policy_path=$1 if ! test -f "$ima_policy_path"; then echo "$ima_policy_path doesn't exist" return 1 fi if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then echo "$ima_policy_path can't be loaded" return 1 fi # Let systemd load the IMA policy which will load LSM rules first so IMA # policy containing rules like "appraise obj_type=ifconfig_exec_t" can be # loaded [[ -e /etc/ima ]] || mkdir -p /etc/ima/ if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY" return 1 fi } echo "Loading IMA keys" load_ima_keys # Include the dracut integrity module to load the IMA keys and policy # automatically when there is a system reboot if ! lsinitrd --mod | grep -q integrity; then cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module" dracut -f if command -v grubby >/dev/null; then _default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p") if [[ $_default_kernel != $(uname -r) ]]; then echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well" dracut -f --kver "$_default_kernel" fi fi fi if ! load_ima_policy "$ima_policy_path"; then echo "Failed to load IMA policy $ima_policy_path!" exit 1 fi