We're excited to announce the release of secadm version 0.2! We've been working hard on a new star feature: Integriforce.
You can download secadm 0.2 here and the GPG signature here. It was signed with Shawn Webb's GPG key with fingerprint 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE.
Change Log:
- New feature: Integriforce. executable file integrity through hash checking and enforcement
- Fix issue linking with prior versions of secadm
- Fix typos
- Various cleanups
Announcing Integriforce
This feature provides executable file integrity enforcement. If a rule exists for a given file, that file's hash as defined in the rule is matched against the hash of the file. If the hashes don't match, execution may be disallowed, depending on the configuration settings. Integriforce is an optional, but powerful, feature. Integriforce currently supports SHA1 and SHA256. Both executables and shared libraries are supported. Please note that files that are under Integriforce management cannot be modified or deleted. The ruleset will need to be flushed prior to modifying or deleting the file.
When we did our call for testing (and thank you to those who tested!), only executable files were checked, not their dependencies (shared objects). With HardenedBSD v18 (sysctl hardening.version
) and secadm 0.2, we now support checking the dependencies. This required a change in the runtime linker (also known as the RTLD) that calls into Integriforce if it is available. Additionally, there is a new kernel feature sysctl exposed, kern.features.integriforce
.
Performance has increased as well. Files only get hashed once and the result of the hash checked is cached. Since files that are under Integriforce management can't be modified, there's only a need to hash a single time. Prior to this performance enhancement, a build of the kernel could take a few hours on a recent Core i7 Haswell machine. Now there's only a ten-second increase in the time it takes to build the kernel. There's still improvements that can be made, but we're satisfied with our initial results.
If you want an automated way of generating the config section for your executables and their shared objects, take a look at this script to automate the process. You can run it as ./integriforce.zsh -f /path/to/file
or ./integriforce.zsh -d /path/to/directory
.
Example Integriforce Configuration:
{ "integriforce": { "enforcing": "soft", "files": [ { "path": "/bin/ls", "hash": "bc65cd516077173d58a3d430cbab1a6178f4ee1d24a89e5c76f2d107b1d385ec", "hash_type": "sha256" }, { "path": "/tmp/ls", "hash": "a023ca4f6235d5216b4a2cf9effe98a5a76aaa6b", "hash_type": "sha1", "enforcing": "hard" } ] } }