Date: Tue, 7 Aug 2012 10:42:20 +0300 From: Efstratios Karatzas <gpf.kira@gmail.com> To: soc-status@freebsd.org Subject: Kernel Level File Integrity Checker report #11 Message-ID: <CAHywV0gKD5iT9JfY0RfWgBt5sUShsOzwZ7nKi-86XDZgu=A3bQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
During week #11: * sys/kern/kern_exec.c: Introduced a new sysctl var (vfs.pefs.exec.enable) for use during development phase instead of using kern.securelevel. When it is turned on, we check if schg is turned on for the executable file; if not, we fail. In case of a shell script, only the interpreter executable is checked instead. Next step involves moving this hack to a MAC hook as well as introducing checks for dynamically loaded libraries. * After a talk with my mentor, I changed some things about how signing/verification of the .pefs.checksum file is done. Signature is now kept within the .pefs.checksum file (at the beginning of the file). Also, we now refrain from generating our own set of keys. /sbin/pefs asks for user to supply both keys for DSA in PEM format files. Next tasks on the TODO list: - more work with schg & execution control -- Efstratios "GPF" Karatzas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHywV0gKD5iT9JfY0RfWgBt5sUShsOzwZ7nKi-86XDZgu=A3bQ>