Puppet Class: ima::appraise

Defined in:
manifests/appraise.pp

Overview

Manage IMA Appraisal

To enable IMA appraisal first make sure all your locally mounted file systems with root files on them are mounted with “i_version“ option.

(TODO: check for this and set if possible)

Then include the “ima::appraise“ module in your classes.

# It is also recommended, although not necessary, to enable the management of the ima
# policy by including the ``ima::policy`` module in you classes because the default
#  policy is over zealous

When “puppet“ runs it will configure the system to reboot into “ima_appraise“ mode “fix“.

The system will then need to be rebooted and will notify with an “ima_appraise_fix_reboot“ notice.

When the system is rebooted it will be in “fix“ mode and it will label all the files with the required “security.ima“ filesystem attribute. This takes a while. Puppet will notify not to reboot until this script completes. Puppet will notify with an “ima_appraise_enforce_reboot“ notice when the script completes.

When the system is rebooted it will boot into “ima_appraisal“ in “enforce“ mode.

If you need to update files after the system has been in enforce mode:

1. Set ``ima::appraise::force_fixmode`` to ``true``,
2. Run ``puppet`` and reboot when prompted.

When you have completed the upgrade, run the script “/usr/local/bin/ima_security_attr_update.sh“.

When the completes, set “force_fixmode“ back to “false“, rerun “puppet“, and reboot when prompted.

Troubleshooting:

  • If you reboot and are getting SELinux errors or you do not have permissions to access your files then you probably forgot to set “i_version“ on your mounts in “/etc/fstab“.

  • If you reboot and it won’t load the “initramfs“ then the “dracut“ update didn’t run. You can fix this by rebooting without the “ima“ kernel settings, running “dracut -f“ and then rebooting in “ima“ “appraise“ mode.

Parameters:

  • enable (Boolean) (defaults to: true)

    Enable IMA appraise capability. Setting to false will remove IMA appraise boot settings from the system.

  • relabel_file (Stdlib::AbsolutePath) (defaults to: "${facts['puppet_vardir']}/simp/.ima_relabel")

    The file to touch when the file system needs relabeling

  • scriptdir (Stdlib::AbsolutePath) (defaults to: '/usr/local/bin')

    The directory to place scripts.

  • force_fixmode (Boolean) (defaults to: false)

    This will force the system into “fix_mode“ so you can update files and then relabel the system - requires a reboot.

  • ensure_packages (Simplib::PackageEnsure) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }))

    Ensure setting for all packages installed by this module

See Also:

Author:



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
 
# File 'manifests/appraise.pp', line 72

class ima::appraise(
  Boolean                $enable          = true,
  Stdlib::AbsolutePath   $relabel_file    = "${facts['puppet_vardir']}/simp/.ima_relabel",
  Stdlib::AbsolutePath   $scriptdir       = '/usr/local/bin',
  Boolean                $force_fixmode   = false,
  Simplib::PackageEnsure $ensure_packages = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
){
  include '::ima'

  if $enable {

    # Provides ability to check for special attributes
    package { 'attr':
      ensure => $ensure_packages
    }

    # Provides the utility to set the security.ima attributes.
    package { 'ima-evm-utils':
      ensure => $ensure_packages
    }

    kernel_parameter { 'ima_appraise_tcb':
      notify   => Reboot_notify['ima_appraise_reboot'],
      bootmode => 'normal'
    }

    kernel_parameter { 'rootflags':
      value    => 'i_version',
      bootmode => 'normal'
    }

    file { "${scriptdir}/ima_security_attr_update.sh":
      ensure => file,
      owner  => 'root',
      mode   => '0700',
      source => "puppet:///modules/${module_name}/ima_security_attr_update.sh"
    }

    # check if ima_apprasal is set on the boot cmdline
    if $force_fixmode {
      class { 'ima::appraise::fixmode':
        relabel_file => $relabel_file,
        relabel      => false
      }
    }
    else {
      case $facts['cmdline']['ima_appraise'] {
        'fix': {
          class { 'ima::appraise::relabel':
            relabel_file => $relabel_file
          }
        }
        'off' : {
          class { 'ima::appraise::fixmode':
            relabel_file => $relabel_file,
            relabel      => true
          }
        }
        'enforce' : {
          file { $relabel_file:
            ensure => absent
          }
        }
        default: {
          if $facts['cmdline']['ima_appraise_tcb'] {
          # if ima_appraise_tcb defaults to enforce mode.
            file { $relabel_file:
              ensure => absent
            }
          }
          else {
          # It is being turned on and should be set to fix mode
            class { 'ima::appraise::fixmode':
              relabel_file => $relabel_file,
              relabel      => true
            }
          }
        }
      }
    }
  }
  else {
  # If ima_appraise disabled
    kernel_parameter { ['ima_appraise', 'ima_appraise_tcb']:
      ensure   => absent,
      bootmode => 'normal'
    }
    file { "${scriptdir}/ima_security_attr_update.sh":
      ensure => absent
    }
  }

  reboot_notify { 'ima_appraise_reboot':
    subscribe => [
      Kernel_parameter['ima_appraise_tcb'],
    ]
  }
}