Server

Version: 24.03 LTS SP2

Security Configuration Hardening Tool

Overview

This document provides a basic introduction and usage instructions for the security configuration hardening tool sec_conf.

Introduction to sec_conf

Background

openEuler supports various security features, including native Linux security features and community-developed security features. However, these features are scattered, difficult to configure, and have a steep learning curve for users. Additionally, for some security features with interception capabilities (such as IMA appraisal, secure boot, and access control), incorrect user configuration can lead to system boot failure or abnormal operation. Therefore, sec_conf aims to achieve an automated security configuration mechanism, allowing users to perform system security checks and hardening based on the tool, thereby better facilitating the implementation of openEuler security features in various application scenarios.

Function Introduction

sec_conf is a security hardening tool that helps administrators configure openEuler security features (such as IMA, DIM, and secure boot). You can input configuration information, which represents the desired security hardening goals, and generate corresponding security feature configuration scripts.

Currently, sec_conf supports configurable security mechanisms for IMA, DIM, secure boot, and modsign.

Installation and Deployment

Installing Dependencies

The software required to compile secPaver includes:

  • make
  • golang 1.11+

Downloading Source Code

shell
git clone https://gitee.com/openeuler/secpaver.git -b sec_conf

Compiling and Installing Software

shell
cd secpaver
make

Install the software:

shell
make install

Project File Format

The sec_conf project files consist of policy configuration files, check script template files, and configuration script template files.

Policy Configuration File

The policy configuration file protects configurations related to DIM, IMA, secure boot, and kernel module verification features. It uses the YAML format, and the description of each field is as follows:

Primary Configuration ItemSecondary Configuration ItemTypeAttributeDescription
nameN/AstringoptionalConfiguration file naming.
versionN/AstringoptionalConfiguration policy version number.
dimenablebooloptionalEnable/disable DIM function.
measure_liststring arrayoptionalFiles that DIM needs to measure. For user-space files, an absolute path needs to be specified. For kernel modules, a valid kernel module name needs to be specified. For the kernel, it needs to be specified as "kernel".
log_capintoptionalMaximum number of measurement logs. When the number of recorded measurement logs reaches the parameter setting, logging stops. The default value is 100,000.
scheduleintoptionalTime to schedule after measuring a process/module, in milliseconds. Setting to 0 means no scheduling. The default value is 0.
intervalintoptionalAutomatic measurement cycle, in minutes. Setting to 0 means no automatic measurement is set. The default value is 0.
hashstringoptionalMeasurement hash algorithm. The default value is sha256.
core_pcrintoptionalExtend the dim_core measurement result to the PCR register of the TPM chip. Setting to 0 means no extension (note that it needs to be consistent with the actual PCR number of the chip). The default value is 0.
monitor_pcrintoptionalExtend the dim_monitor measurement result to the PCR register of the TPM chip. Setting to 0 means no extension (note that it needs to be consistent with the actual PCR number of the chip). The default value is 0.
signaturebooloptionalWhether to enable the policy file and signature mechanism.
auto_baselinebooloptionalWhether to establish a DIM baseline. If false, the administrator needs to manually generate the baseline.
secure_bootenablebooloptionalWhether to enable secure boot.
anti_rollbackbooloptionalEnable/disable secure boot anti-rollback policy.
verbosebooloptionalEnable/disable secure boot related logs.
modsignenablebooloptionalWhether to enable the kernel module verification feature.
imameasure_liststring arrayoptionalIMA protected file list (absolute path needs to be specified).
appraise_liststring arrayoptionalIMA appraised file list (absolute path needs to be specified).

Note:

  • The sec_conf.yaml file must be placed at /usr/share/secpaver/scripts/sec_conf/sec_conf.yaml and cannot be renamed.
  • Parameter types must comply with the requirements in the table above.
  • If related configurations do not exist, default values are used.

Check Script Template and Configuration Script Template Files

Template files are implemented using the go-template engine to combine script files with data and generate the final text output.

Check script templates are unified under the /usr/share/secpaver/scripts/sec_conf/check/ directory. This directory contains script templates for features like DIM and IMA. These script templates cannot be executed independently. They can only be used by sec_conf to generate the latest scripts for performing openEuler feature checks.

Configuration script templates are unified under the /usr/share/secpaver/scripts/sec_conf/gen/ directory. This directory contains script templates for features like DIM and IMA. These script templates cannot be executed independently. They can only be used by sec_conf to generate the latest scripts for configuring openEuler features.

Note:

  • The configuration and check script template files cannot be modified. They are only used by sec_conf to parse and generate scripts.

Security Configuration CLI Interface

ParameterFunction DescriptionCommand Format
--help,-hPrint sec_conf command line help informationsec_conf -h
gen_checkGenerate security configuration check script and output to the command line interfacesec_conf gen_check
gen_configGenerate security configuration script and output to the command line interfacesec_conf gen_config
--output,-oOutput the generated configuration script to the specified filesec_conf gen_config -o config.sh

Usage Instructions

Configure the yaml file, for example:

yaml
# cat /usr/share/secpaver/scripts/sec_conf/sec_conf.yaml
---
name: "openEuler security configuration"
version: "1"
dim:
  enable: true
  measure_list:
    - "/usr/bin/bash"
    - "nf_nat"
    - "kernel"
  log_cap: 100000
  schedule: 0
  interval: 0
  hash: "sha256"
  core_pcr: 11
  monitor_pcr: 12
  signature: true
  auto_baseline: true
secure_boot:
  enable: true
  anti_rollback: true
  verbose: true
modsign:
  enable: true
ima:
  measure_list:
  - "/usr/bin/ls"
  - "/usr/bin/cat"
  - "/usr/bin/base64"
  - "/usr/bin/base32"
  appraise_list:
  - "/usr/bin/base64"
  - "/usr/bin/base32"
  - "/usr/bin/sleep"
  - "/usr/bin/date"
...

Generate feature configuration scripts and check scripts.

shell
sec_conf gen_config -o ./config.sh
sec_conf gen_check -o ./check.sh

Execute the configuration script and check if the configuration is correct. If the configuration is correct, restart the system for the configuration to take effect.

shell
sh ./config.sh -s
sh ./check.sh -s
reboot

After restarting, execute the configuration script again and check if the configuration is correct. At this point, all function checks are expected to pass.

shell
sh ./config.sh -s
sh ./check.sh -s