IMA integrity enforcer
======================

Basic usage
-----------

1. Run `integrity-applier` command. The system reloads to
   so-called Stage II with `ima_appraise=fix` kernel option.

2. Run `integrity-applier` command again to sign the files.
   Use `--cert=` and `--key=` command-line options to sign
   files with user-defined keys (use `-B BASENAME | --basename=BASENAME`
   option to install the given user-defined certificate file
   under non-default filename). After the sign procedure is done
   the system reloads to IMA enforced mode (i. e. with
   `ima_appraise=enforce` kernel command-line option).

3. In order to disable IMA, run the `integrity-remover` script.

By default the file signing log is written to
/var/log/integrity-sign.log.


The trusted IMA keyring
-----------------------

In order to use the trusted IMA keyring select keyring name ".ima"
using the `IMA_KEYRING=.ima` configuration option in the
`/etc/integrity/config` file. The secondary trusted keyring
certificates can be configured with the `SECONDARY_SUFFIX`
configuration option.

Note that in order to make the IMA trusted keyring available
the kernel needs to be compiled with
`BCONFIG_INTEGRITY_TRUSTED_KEYRING=y` and
`CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y`
options set.


Advanced usage
--------------

* Use `--log-stderr=FILE` option to output file signing log to specified
  FILE at Stage II. Use `--log-stderr` option to get it output to the
  current error stream.

* Use `--init` and `--sign` to explicitly select Stage I or Stage II.

* Use `-R | --no-reboot` to suppress automatic reboot of the system.

* Use `-a HASH | --hash=HASH` option to select the type of cryptographic
  hash function to sign the files with. It can also be configured in
  `/etc/integrity/config` (and/or `/etc/sysconfig/integrity`).

* Use `-A | --auto` option to automatically run Stage II after reboot
  using the special `ima-signing.target`.

* Visit `/etc/integrity/config` and `/etc/sysconfig/integrity` to
  configure the directories with files to sign and other options,
  such as EVM. Contents of `/etc/sysconfig/integrity` override
  values set in `/etc/integrity/config`.

* Enable ima-check.service to check IMA policy at system boot.
  Add services to ima-check-failed.target to run actions when
  the check fails.

* Touch /etc/integrity/reboot-on-initrd-error in order not to
  load the system at all if loading of IMA policy fails at initrd
  stage. Also, use /etc/integrity/on-initrd-error script to
  run it instead of reboot.

* Override the default integrity policy with `/etc/integrity/policy`.

Licence: GNU GPL version 2 or later.
