yunginnanet/go-ima
1
0
Fork 0
Code Issues Pull Requests repo.project Releases Packages Wiki Activity Actions
repo.no_desc
16 commits 1 branch 0 tags 46 KiB
  • Go 100%
Go to file
Exact
Cole Kennedy ea20284c74
 Update README.md
2021-09-29 04:18:02 -05:00
.gitignore add git ignore 2021-09-29 01:47:10 -05:00
go.mod add git ignore 2021-09-29 01:47:10 -05:00
go.sum add git ignore 2021-09-29 01:47:10 -05:00
LICENSE Create LICENSE 2021-09-29 02:06:59 -05:00
main.go cleanup 2021-09-29 04:16:12 -05:00
README.md Update README.md 2021-09-29 04:18:02 -05:00

README.md

go-ima

goima

Tool that checks the ima-log to see if a file has been tampered with.

How to use

  1. Set the IMA policy to tcb by configuring GRUB GRUB_CMDLINE_LINUX="ima_policy=tcb ima_hash=sha256 ima=on"
  2. Compile
  3. Grant permissions to read /sys/kernel/security/integrity/ima/ascii_runtime_measurements
  4. Run
./go-ima {file to check}

You will get an exit status of 0 if the file has not been modified since inception or boot. If you get an Exit status of 1 it means the IMA log contains at least one hash that does not match what is on disk. This could either be the sign of an attack, or somebody just editing files on your build server.

Limitations

  • Support for verifying against PCR register
  • Support for different hash schemes