Differences between revisions 3 and 4
Revision 3 as of 2015-06-26 04:27:49
Size: 1406
Comment:
Revision 4 as of 2015-09-16 04:49:31
Size: 1458
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation (this was what convinced Ubuntu to enable it, anecdotally) a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation ([[https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627|this was what convinced Ubuntu to enable it]])

Debate Essays on enabling CONFIG_IMA in the Debian kernel

Background on IMA

Wishlist bug report #788290

  • ?CONFIG_IMA=y

a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation (this was what convinced Ubuntu to enable it)

Security benefits:

  • Using the IMA-appraisal policy prevents the root execution of previously unseen binaries. This cannot be bypassed without rebooting to change the kernel boot parameter that enables it.

  • Using just the logging of binary hashes (the ima_tcb policy) can allow for post-fail malware detection and analysis (think: where else in my fleet has this hash been seen to be executed?) A systems administrator or incident response analyst can centrally detect whether critical system files have been modified or if malicious software has been executed.
  • If something like #766267 (debhelper: add file signature support in .deb packages) is implemented, the kernel support will already be present

AndrewPollock

  • ?CONFIG_IMA=n