1406
Comment:
|
← Revision 4 as of 2015-09-16 04:49:31 ⇥
1458
|
Deletions are marked like this. | Additions are marked like this. |
Line 11: | Line 11: |
a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation (this was what convinced Ubuntu to enable it, anecdotally) | a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation ([[https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627|this was what convinced Ubuntu to enable it]]) |
Debate Essays on enabling CONFIG_IMA in the Debian kernel
Background on IMA
Wishlist bug report #788290
?CONFIG_IMA=y
a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation (this was what convinced Ubuntu to enable it)
Security benefits:
Using the IMA-appraisal policy prevents the root execution of previously unseen binaries. This cannot be bypassed without rebooting to change the kernel boot parameter that enables it.
- Using just the logging of binary hashes (the ima_tcb policy) can allow for post-fail malware detection and analysis (think: where else in my fleet has this hash been seen to be executed?) A systems administrator or incident response analyst can centrally detect whether critical system files have been modified or if malicious software has been executed.
If something like #766267 (debhelper: add file signature support in .deb packages) is implemented, the kernel support will already be present
?CONFIG_IMA=n