Kernel Level File Integrity Checker report #11
Efstratios Karatzas
gpf.kira at gmail.com
Tue Aug 7 07:42:28 UTC 2012
During week #11:
* sys/kern/kern_exec.c: Introduced a new sysctl var (vfs.pefs.exec.enable)
for use during development phase instead of using kern.securelevel. When it
is turned on, we check if schg is turned on for the executable file; if
not, we fail. In case of a shell script, only the interpreter executable is
checked instead. Next step involves moving this hack to a MAC hook as well
as introducing checks for dynamically loaded libraries.
* After a talk with my mentor, I changed some things about how
signing/verification of the .pefs.checksum file is done. Signature is now
kept within the .pefs.checksum file (at the beginning of the file). Also,
we now refrain from generating our own set of keys. /sbin/pefs asks for
user to supply both keys for DSA in PEM format files.
Next tasks on the TODO list:
- more work with schg & execution control
--
Efstratios "GPF" Karatzas
More information about the soc-status
mailing list