Puppet Class: tpm::ima

Defined in:
manifests/ima.pp

Overview

Sets up IMA kernel boot flags if they are not enabled, and mounts the securityfs when they are.

Parameters:

  • enable (Boolean) (defaults to: true)

    If true, enable IMA on the system.

  • manage_policy (Boolean) (defaults to: false)

    If true, the tpm::ima::policy class will be included. Please read the documentation for that class carefully, as it can cause live filesystems to become read-only until a reboot.

  • mount_dir (Stdlib::AbsolutePath) (defaults to: '/sys/kernel/security')

    Where to mount ima securityfs

  • ima_audit (Boolean) (defaults to: true)

    Audit control. Can be set to:

    true  - Enable additional integrity auditing messages
false - Enable integrity auditing messages (default)
  • ima_template (Tpm::Ima::Template) (defaults to: 'ima-ng')

    A pre-defined IMA measurement template format.

  • ima_hash (String) (defaults to: 'sha256')

    The list of supported hashes can be found in crypto/hash_info.h

  • ima_tcb (Boolean) (defaults to: true)

    Toggle the TCB policy. This means IMA will measure all programs exec’d, files mmap’d for exec, and all file opened for read by uid=0. Defaults to true.

  • log_max_size (Integer) (defaults to: 30000000)

    The size of the /sys/kernel/security/ima/ascii_runtime_measurements, in bytes, that will cause a reboot notification will be sent to the user.

Author:

  • Nick Markowski <namarkowski@keywcorp.com>

  • Trevor Vaughan <tvaughan@onyxpoint.com>



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
# File 'manifests/ima.pp', line 34

class tpm::ima (
  Boolean              $enable        = true,
  Boolean              $manage_policy = false,
  Stdlib::AbsolutePath $mount_dir     = '/sys/kernel/security',
  Boolean              $ima_audit     = true,
  Tpm::Ima::Template   $ima_template  = 'ima-ng',
  String               $ima_hash      = 'sha256',
  Boolean              $ima_tcb       = true,
  Integer              $log_max_size  = 30000000
){

  if $enable {
    if $facts['cmdline']['ima'] == 'on' {
      mount { $mount_dir:
        ensure   => mounted,
        atboot   => true,
        device   => 'securityfs',
        fstype   => 'securityfs',
        target   => '/etc/fstab',
        remounts => true,
        options  => 'defaults',
        dump     => '0',
        pass     => '0'
      }
    }

    kernel_parameter { 'ima':
      value    => 'on',
      bootmode => 'normal'
    }
    kernel_parameter { 'ima_audit':
      value    => $ima_audit,
      bootmode => 'normal'
    }
    kernel_parameter { 'ima_template':
      value    => $ima_template,
      bootmode => 'normal'
    }
    kernel_parameter { 'ima_hash':
      value    => $ima_hash,
      bootmode => 'normal'
    }

    if $ima_tcb {
      kernel_parameter { 'ima_tcb':
        notify => Reboot_notify['ima_reboot']
      }
    }

    # This feature will remain commented out until the generated policy
    #  can be safely imported. As of now, it makes the system read-only
    # if $manage_policy {
    #   include '::tpm::ima::policy'
    # }

    if $facts['ima_log_size'] >= $log_max_size {
      reboot_notify { 'ima_log':
        reason => 'The IMA /sys/kernel/security/ima/ascii_runtime_measurements is filling up kernel memory. Please reboot to clear.'
      }
    }
  }
  else {
    kernel_parameter { [ 'ima_tcb' ]:
      ensure => 'absent',
      notify => Reboot_notify['ima_reboot']
    }
    kernel_parameter { [ 'ima', 'ima_audit', 'ima_template', 'ima_hash' ]:
      ensure   => 'absent',
      bootmode => 'normal'
    }
  }

  reboot_notify { 'ima_reboot':
    subscribe => [
      Kernel_parameter['ima'],
      Kernel_parameter['ima_audit'],
      Kernel_parameter['ima_template'],
      Kernel_parameter['ima_hash']
    ]
  }
}