@@ -219,12 +219,16 @@ executing the file is no longer allowed:
-sh: /usr/bin/rpm: Permission denied
Enabling the audit kernel subsystem may help to debug appraisal
-issues. Enable it by adding the meta-security-framework layer and
+issues. Enable it by adding a kernel configuration fragment and
changing your local.conf:
SRC_URI:append:pn-linux-yocto = " file://audit.cfg"
CORE_IMAGE_EXTRA_INSTALL += "auditd"
-Then boot with "ima_appraise=log ima_appraise_tcb".
+Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1".
+For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND
+in your local.conf:
+ QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix"
+ QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1"
Adding auditd is not strictly necessary but helps to capture a
more complete set of events in /var/log/audit/ and search in
@@ -1 +1,3 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/linux:"
+
require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}
new file mode 100644
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
Add audit.cfg configuration fragment. By default it is not appended to SRC_URI. It allows enabling the audit kernel subsystem which may help to debug appraisal issues. Boot with "integrity_audit=1" to capture a more complete set of events in /var/log/audit/. Previously the same configuration fragment was provided by layer meta-security-framework but it is no longer maintained therefore it makes sense to have audit.cfg in layer meta-integrity. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> --- meta-integrity/README.md | 8 ++++++-- meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend | 2 ++ meta-integrity/recipes-kernel/linux/linux/audit.cfg | 2 ++ 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 meta-integrity/recipes-kernel/linux/linux/audit.cfg