Differences between revisions 2 and 3
Revision 2 as of 2015-06-15 02:23:29
Size: 1199
Comment:
Revision 3 as of 2015-06-26 04:27:49
Size: 1406
Comment:
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
 * If something like [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766267|#766267 (debhelper: add file signature support in .deb packages)]] is implemented, the kernel support will already be present

Debate Essays on enabling CONFIG_IMA in the Debian kernel

Background on IMA

Wishlist bug report #788290

  • ?CONFIG_IMA=y

a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation (this was what convinced Ubuntu to enable it, anecdotally)

Security benefits:

  • Using the IMA-appraisal policy prevents the root execution of previously unseen binaries. This cannot be bypassed without rebooting to change the kernel boot parameter that enables it.

  • Using just the logging of binary hashes (the ima_tcb policy) can allow for post-fail malware detection and analysis (think: where else in my fleet has this hash been seen to be executed?) A systems administrator or incident response analyst can centrally detect whether critical system files have been modified or if malicious software has been executed.
  • If something like #766267 (debhelper: add file signature support in .deb packages) is implemented, the kernel support will already be present

AndrewPollock

  • ?CONFIG_IMA=n