- Setup - The basics of getting started with ima
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module manages the Integrity Management Architecture (IMA),
a tool that verifies the integrity of the system, based on filesystem
and file hashes. The IMA class sets up IMA kernel boot flags if
they are not enabled and when they are, mounts the
securityfs. This module can
manage the IMA policy, although modifying the policy incorrectly could cause
your system to become read-only.
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
Inserting poorly-formed or incorrect policy into the IMA policy file could cause your system to become read-only. This can be temporarily remedied by rebooting and setting ima_appraise to fix in the kernel command line parameters. This is the current case with the way the module manages the policy and it is not recommended to use this section of the module at this time.
This module will:
- Enable IMA on the host
- (OPTIONAL) Manage the IMA policy (BROKEN - See Limitations)
classes: - ima::appraise - ima::policy
To remove IMA, first disable components by adding this to hiera:
ima::policy::enable: false ima::appraise::enable: false ima::enable: false
This removes systems parameters managed IMA. The classes can then be removed.
Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the file
metadata.json for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
The default configuration of this module updates EFI boot parameters if they are present. If the system relies upon BIOS for boot, ensure there is not an EFI grub.cfg or grub2.cfg present or the BIOS grub config file will not be updated.
The current RedHat implementation of IMA does not seem to work after inserting
our default policy (generated example in
It causes the system to become read-only, even though it is only using supported
configuration elements. The module will be updated soon with more sane defaults
to allow for at least the minimal amount of a system to be measured.
To get started, include the
ima::policy class and set these parameters.
From there, they can be changed to
true on one by one:
ima::policy::measure_root_read_files: false ima::policy::measure_file_mmap: false ima::policy::measure_bprm_check: false ima::policy::measure_module_check: false ima::policy::appraise_fowner: false
Please read our Contribution Guide
To run the system tests, you need
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true BEAKER_provision=no BEAKER_destroy=no BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.
BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the
spec/fixtures/modulesdirectory, based on the contents of
.fixtures.yml. The contents of this directory are usually populated by
bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
- Mon Dec 16 2019 Trevor Vaughan email@example.com - 0.3.0-0
- Add EL8 support
- Tue Jul 16 2019 Robert Vincent firstname.lastname@example.org - 0.2.0-0
- Provide Puppet-6 compatibility.
- Facter.value(:cmdline) is not always set.
- Thu Mar 07 2019 Liz Nemsick email@example.com - 0.1.1-0
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Thu Nov 01 2018 Jeanne Greulich firstname.lastname@example.org - 0.1.0-0
- static asset updates
- Fri Sep 14 2018 Michael Morrone email@example.com - 0.1.0-0
- Made ima::appraise and ima::policy unambiguously public classes
- Thu Aug 09 2018 Michael Morrone firstname.lastname@example.org - 0.1.0-0
- Initial module
- Originially developed in SIMP TPM module
pupmod-simp-ima - A Puppet Module for managing the IMA -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.