Security policies configuration
The Trusted Execution (TE) feature provides you with a run-time file integrity verification mechanism. Using this mechanism, the system can be configured to check the integrity of the trusted files before every request to access those file, effectively allowing only the trusted files that pass the integrity check to be accessed on the system.
When a file is marked as trusted (by adding its definition to Trusted
Signature Database), the TE feature can be made to monitor its integrity
on every access. TE can continuously monitor the system and is capable
of detecting tampering of any trusted file (by a malicious user or
application) present on the system at run-time (for example, at load
time). If the file is found to be tampered, TE can take corrective
actions based on pre-configured policies, such as disallow execution,
access to the file, or logging error. If a file being opened or executed,
and has an entry in the Trusted Signature Database (TSD), the TE performs
as follows:
- Before loading the binary, the component responsible for loading the file (system loader) invokes the Trusted Execution subsystem, and calculates the hash value using the SHA-256 algorithm (configurable).
- This run-time calculated hash value is matched with the one stored in the TSD.
- If the values match, the file opening or execution is permitted.
- If the values do not match, either the binary is tampered, or somehow compromised. It is up to the user to decide the action to be taken. The TE mechanism provides options for users to configure their own policies for the actions to be taken if the hash values do not match.
- Based on these configured policies, a relevant action is taken.
The following policies can be configured:
- CHKEXEC
- Check hash value of only the trusted executables before loading them in memory for execution.
- CHKSHLIBS
- Check the hash value of only the trusted shared libraries before loading them in memory for execution.
- CHKSCRIPTS
- Check the hash value of only the trusted shell scripts before loading them in memory.
- CHKKERNEXT
- Check the hash value of only the kernel extension before loading it in memory.
- STOP_UNTRUSTD
- Stop loading of files that are not trusted. Only files belonging to TSD are loaded. This policy only works in combination with any of the CHK* policies mentioned above. For example, if CHKEXEC=ON and STOP_UNTRUSTD=ON, then any executable binary that does not belong to TSD is blocked from execution.
- STOP_ON_CHKFAIL
- Stop loading of trusted files that fail hash value check. This policy also works in combination with CHK* policies. For example, if CHKSHLIBS=ON and STOP_ON_CHKFAIL=ON, then any shared library not belonging to the TSD is blocked from being loaded into memory for use.
- TSD_LOCK
- Lock TSD so it is not available for editing.
- TSD_FILES_LOCK
- Lock trusted files. This does not allow opening of trusted files in write mode.
- TE
- Enable/Disable Trusted Execution functionality. Only when this is enabled, the above mentioned policies are in effect.
The following table gives the interaction between different CHK*
policies and STOP* policies when enabled:
| Policy | STOP_UNTRUSTD | STOP_ON_CHKFAIL |
|---|---|---|
| CHKEXEC | Stop loading of executables that do not belong to TSD. | Stop loading of executables whose hash values do not match the TSD values. |
| CHKSHLIBS | Stop loading of shared libraries that do not belong to TSD. | Stop loading of shared libraries whose hash values do not match the TSD values. |
| CHKSCRIPTS | Stop loading of shell scripts that do not belong to TSD. | Stop loading of shell scripts whose hash values do not match the TSD values. |
| CHKKERNEXT | Stop loading of kernel extensions that do not belong to TSD. | Stop loading of kernel extensions whose hash values do not match the TSD values. |
Note: A policy can be enabled or disabled at any time until the TE
is turned on to bring the policies into effect. Once a policy is in
effect, disabling that policy becomes effective only on next boot
cycle. All the information messages are logged into syslog.