Security Configuration Hardening Tool
Overview
This document provides a basic introduction and usage instructions for the security configuration hardening tool sec_conf.
Introduction to sec_conf
Background
openEuler supports various security features, including native Linux security features and community-developed security features. However, these features are scattered, difficult to configure, and have a steep learning curve for users. Additionally, for some security features with interception capabilities (such as IMA appraisal, secure boot, and access control), incorrect user configuration can lead to system boot failure or abnormal operation. Therefore, sec_conf aims to achieve an automated security configuration mechanism, allowing users to perform system security checks and hardening based on the tool, thereby better facilitating the implementation of openEuler security features in various application scenarios.
Function Introduction
sec_conf is a security hardening tool that helps administrators configure openEuler security features (such as IMA, DIM, and secure boot). You can input configuration information, which represents the desired security hardening goals, and generate corresponding security feature configuration scripts.
Currently, sec_conf supports configurable security mechanisms for IMA, DIM, secure boot, and modsign.
Installation and Deployment
Installing Dependencies
The software required to compile secPaver includes:
- make
- golang 1.11+
Downloading Source Code
git clone https://gitee.com/openeuler/secpaver.git -b sec_conf
Compiling and Installing Software
cd secpaver
make
Install the software:
make install
Project File Format
The sec_conf project files consist of policy configuration files, check script template files, and configuration script template files.
Policy Configuration File
The policy configuration file protects configurations related to DIM, IMA, secure boot, and kernel module verification features. It uses the YAML format, and the description of each field is as follows:
Primary Configuration Item | Secondary Configuration Item | Type | Attribute | Description |
---|---|---|---|---|
name | N/A | string | optional | Configuration file naming. |
version | N/A | string | optional | Configuration policy version number. |
dim | enable | bool | optional | Enable/disable DIM function. |
measure_list | string array | optional | Files that DIM needs to measure. For user-space files, an absolute path needs to be specified. For kernel modules, a valid kernel module name needs to be specified. For the kernel, it needs to be specified as "kernel". | |
log_cap | int | optional | Maximum number of measurement logs. When the number of recorded measurement logs reaches the parameter setting, logging stops. The default value is 100,000. | |
schedule | int | optional | Time to schedule after measuring a process/module, in milliseconds. Setting to 0 means no scheduling. The default value is 0. | |
interval | int | optional | Automatic measurement cycle, in minutes. Setting to 0 means no automatic measurement is set. The default value is 0. | |
hash | string | optional | Measurement hash algorithm. The default value is sha256. | |
core_pcr | int | optional | Extend the dim_core measurement result to the PCR register of the TPM chip. Setting to 0 means no extension (note that it needs to be consistent with the actual PCR number of the chip). The default value is 0. | |
monitor_pcr | int | optional | Extend the dim_monitor measurement result to the PCR register of the TPM chip. Setting to 0 means no extension (note that it needs to be consistent with the actual PCR number of the chip). The default value is 0. | |
signature | bool | optional | Whether to enable the policy file and signature mechanism. | |
auto_baseline | bool | optional | Whether to establish a DIM baseline. If false, the administrator needs to manually generate the baseline. | |
secure_boot | enable | bool | optional | Whether to enable secure boot. |
anti_rollback | bool | optional | Enable/disable secure boot anti-rollback policy. | |
verbose | bool | optional | Enable/disable secure boot related logs. | |
modsign | enable | bool | optional | Whether to enable the kernel module verification feature. |
ima | measure_list | string array | optional | IMA protected file list (absolute path needs to be specified). |
appraise_list | string array | optional | IMA appraised file list (absolute path needs to be specified). |
Note:
- The sec_conf.yaml file must be placed at /usr/share/secpaver/scripts/sec_conf/sec_conf.yaml and cannot be renamed.
- Parameter types must comply with the requirements in the table above.
- If related configurations do not exist, default values are used.
Check Script Template and Configuration Script Template Files
Template files are implemented using the go-template engine to combine script files with data and generate the final text output.
Check script templates are unified under the /usr/share/secpaver/scripts/sec_conf/check/ directory. This directory contains script templates for features like DIM and IMA. These script templates cannot be executed independently. They can only be used by sec_conf to generate the latest scripts for performing openEuler feature checks.
Configuration script templates are unified under the /usr/share/secpaver/scripts/sec_conf/gen/ directory. This directory contains script templates for features like DIM and IMA. These script templates cannot be executed independently. They can only be used by sec_conf to generate the latest scripts for configuring openEuler features.
Note:
- The configuration and check script template files cannot be modified. They are only used by sec_conf to parse and generate scripts.
Security Configuration CLI Interface
Parameter | Function Description | Command Format |
---|---|---|
--help,-h | Print sec_conf command line help information | sec_conf -h |
gen_check | Generate security configuration check script and output to the command line interface | sec_conf gen_check |
gen_config | Generate security configuration script and output to the command line interface | sec_conf gen_config |
--output,-o | Output the generated configuration script to the specified file | sec_conf gen_config -o config.sh |
Usage Instructions
Configure the yaml file, for example:
# cat /usr/share/secpaver/scripts/sec_conf/sec_conf.yaml
---
name: "openEuler security configuration"
version: "1"
dim:
enable: true
measure_list:
- "/usr/bin/bash"
- "nf_nat"
- "kernel"
log_cap: 100000
schedule: 0
interval: 0
hash: "sha256"
core_pcr: 11
monitor_pcr: 12
signature: true
auto_baseline: true
secure_boot:
enable: true
anti_rollback: true
verbose: true
modsign:
enable: true
ima:
measure_list:
- "/usr/bin/ls"
- "/usr/bin/cat"
- "/usr/bin/base64"
- "/usr/bin/base32"
appraise_list:
- "/usr/bin/base64"
- "/usr/bin/base32"
- "/usr/bin/sleep"
- "/usr/bin/date"
...
Generate feature configuration scripts and check scripts.
sec_conf gen_config -o ./config.sh
sec_conf gen_check -o ./check.sh
Execute the configuration script and check if the configuration is correct. If the configuration is correct, restart the system for the configuration to take effect.
sh ./config.sh -s
sh ./check.sh -s
reboot
After restarting, execute the configuration script again and check if the configuration is correct. At this point, all function checks are expected to pass.
sh ./config.sh -s
sh ./check.sh -s