IMA-Appraisal HASH fix mode和enforce mode的解释

在 IMA(Integrity Measurement Architecture)的 appraisal(评估)子系统 中,ima_appraise= 启动参数控制文件完整性校验的行为,其中涉及 hash(文件哈希值) 的两种关键模式:fixenforce。以下详细说明:

1. fix 模式(修复模式)

  • 作用:允许系统创建或更新受保护文件的哈希参考值(存储在扩展属性 security.ima 中),即使当前哈希不存在或已损坏。
  • 典型场景:
    • 首次部署系统时:若文件尚未生成哈希值,可通过 fix 模式批量生成,避免启动失败。
    • 修复场景:当文件被合法修改(如更新配置)后,需重新生成哈希值。
  • 限制:
    • 仅对无签名文件生效(若文件已签名,需通过签名验证,无法通过 fix 更新哈希)
    • 需配合 appraise_tcb 等策略规则,否则默认不评估任何文件,fix 无实际效果。
  • 操作步骤:
    1. 启动时添加参数:ima_appraise=fix ima_policy=appraise_tcb
    2. 通过访问文件触发哈希生成(例如用 find 命令遍历文件):
      find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \;
       
    3. 验证扩展属性是否生成:
      getfattr -m - -d /sbin/init  # 应显示 security.ima 值
       

2. enforce 模式(强制模式)

  • 作用:严格校验文件哈希值,若当前文件哈希与存储的参考值不匹配,则拒绝访问(返回 Permission denied 并记录审计日志)。
  • 行为细节:
    • 读文件时:校验哈希,失败则拒绝访问。
    • 写文件时:允许写入,但仅在最后一次关闭文件时更新哈希值(避免频繁写操作影响性能)
  • 典型场景:
    • 系统部署完成后,长期运行阶段启用,确保文件未被篡改。
  • 操作步骤:
    1. fix 模式完成哈希初始化后,重启并切换为强制模式:
      ima_appraise=enforce ima_policy=appraise_tcb
       

3. 关键对比总结

模式哈希处理访问控制适用场景
fix 创建/更新缺失或错误的哈希值 无限制(允许访问) 首次部署、修复哈希值
enforce 严格校验哈希值 哈希不一致时拒绝访问 生产环境强制完整性保护

4. 注意事项

  • UEFI Secure Boot:若启用,则无法通过启动参数修改 enforce 模式(默认强制生效)。
  • 签名文件:fix 模式无法更新已签名文件的哈希(需重新签名),此类文件应使用 enforce 模式配合签名验证
通过 fixenforce 的切换,IMA 实现了从初始化到强制保护的完整生命周期管理
 

5. 参考

ima_appraise

The ima_appraise= argument can change the default enforce appraise mode.

Note

The mode can only be changed if secure boot in the UEFI firmware is disabled. If UEFI secure boot is enabled, the default enforce cannot be changed. See Built-in Policy Rules. This is not the same as the ima_policy=secure_boot command line argument.

This command line argument is only available if CONFIG_IMA_APPRAISE_BOOTPARAM is set.

This specifies the effect of the policy rule appraise action. The four values are:

  • enforce causes IMA to appraise files . Access is denied to the appraised file if the stored hash is missing or does not match the collected value.

  • log is similar to enforce except access is not denied but only logged to /var/log/audit/audit.log.

  • off disables all appraisal. The stored hashes aren’t checked or logged. New stored hashes are not generated or updated.

  • fix enables the IMA repair mode. The stored hash reference value of a protected file can be created or updated. The file hash is (re)calculated and stored.

    fix is often used on first boot. This will allow the system to boot up even when no (or wrong) hashes are registered.

    fix only creates and updates hashes on files that would otherwise be appraised. If using a custom IMA policy, that policy must be loaded first. If neither ima_policy=appraise_tcb nor a custom policy is loaded, the default policy is to not appraise anything, and fix will have no effect. Additionally, this process may need to be repeated if there’s a change in the IMA policy.

    fix only updates hashes on files that have no signatures. It cannot create a file signature.

A typical procedure for adding file data hashes and meta-data HMAC is:

  • boot first in fix mode

  • open for read all files that will be appraised

    Example

    find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \;

  • When done, the stored hash value should show as an extended attribute:

    Example

    getfattr -m - -d /sbin/init
# file: sbin/init
security.ima=0sAXr7Qmun5mkGDS286oZxCpdGEuKT
security.selinux="system_u:object_r:init_exec_t"

  • reboot in appraise mode

    The system should now run with appraisal enabled, causing the system to validate the hash against the stored value before using it. If it doesn’t match, then the file is not loaded and any access will be denied.

Note: Appraisal can be verified by booting with ima_appraise= off , changing the contents of a root-owned file (or the value of the extended attribute), and rebooting with ima_appraise= enforce.

posted @ 2025-07-30 11:09  云long  阅读(20)  评论(0)    收藏  举报