Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-ima', '0.4.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup - The basics of getting started with ima
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This module manages the Integrity Management Architecture (IMA),
a tool that verifies the integrity of the system, based on filesystem
and file hashes. The IMA class sets up IMA kernel boot flags if
they are not enabled and when they are, mounts the securityfs
. This module can
manage the IMA policy, although modifying the policy incorrectly could cause
your system to become read-only.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
$enable_*
and$manage_*
parameters inmanifests/init.pp
for details.
Setup
What ima affects
WARNING
Inserting poorly-formed or incorrect policy into the IMA policy file could cause your system to become read-only. This can be temporarily remedied by rebooting and setting ima_appraise to fix in the kernel command line parameters. This is the current case with the way the module manages the policy and it is not recommended to use this section of the module at this time.
This module will:
- Enable IMA on the host
- (OPTIONAL) Manage the IMA policy (BROKEN - See Limitations)
Beginning with the IMA module
classes:
- ima::appraise
- ima::policy
To remove IMA, first disable components by adding this to hiera:
ima::policy::enable: false
ima::appraise::enable: false
ima::enable: false
This removes systems parameters managed IMA. The classes can then be removed.
Usage
Reference
Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the file
metadata.json
for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
The default configuration of this module updates EFI boot parameters if they are present. If the system relies upon BIOS for boot, ensure there is not an EFI grub.cfg or grub2.cfg present or the BIOS grub config file will not be updated.
The current RedHat implementation of IMA does not seem to work after inserting
our default policy (generated example in spec/files/default_ima_policy.conf
).
It causes the system to become read-only, even though it is only using supported
configuration elements. The module will be updated soon with more sane defaults
to allow for at least the minimal amount of a system to be measured.
To get started, include the ima::policy
class and set these parameters.
From there, they can be changed to true
on one by one:
ima::policy::measure_root_read_files: false
ima::policy::measure_file_mmap: false
ima::policy::measure_bprm_check: false
ima::policy::measure_module_check: false
ima::policy::appraise_fowner: false
Development
Please read our Contribution Guide
Acceptance tests
To run the system tests, you need Vagrant
installed.
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.4.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.3.1
- Removed EL6 support
- Mon Dec 16 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.3.0-0
- Add EL8 support
- Tue Jul 16 2019 Robert Vincent pillarsdotnet@gmail.com - 0.2.0-0
- Provide Puppet-6 compatibility.
- Facter.value(:cmdline) is not always set.
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.1.1-0
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Thu Nov 01 2018 Jeanne Greulich jeanne.greulich@onypoint.com - 0.1.0-0
- static asset updates
- Fri Sep 14 2018 Michael Morrone michael.morrone@onypoint.com - 0.1.0-0
- Made ima::appraise and ima::policy unambiguously public classes
- Thu Aug 09 2018 Michael Morrone michael.morrone@onypoint.com - 0.1.0-0
- Initial module
- Originially developed in SIMP TPM module
Dependencies
- herculesteam/augeasproviders_grub (>= 2.3.0 < 4.0.0)
- simp/simplib (>= 3.1.0 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
pupmod-simp-ima - A Puppet Module for managing the IMA -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.