├── .codeclimate.yml ├── .github ├── issue_template.md └── workflows │ └── action.yaml ├── .gitmodules ├── AUTHORS ├── Dockerfile ├── LICENSE ├── README.md ├── graph ├── autoIntegrity.py └── buildGraph.py ├── lfp.sh ├── lqr.sh ├── measurementDB ├── buildStore.sh ├── cve │ ├── buildCVE.sh │ └── vulnerable.py ├── downloadPkgs.sh ├── insertDB.sh └── storeHash.sh ├── ra-agent.sh ├── read-registration.sh ├── register.sh ├── tests ├── client_test_log ├── client_tpm12_test_quote ├── hashPCR ├── pcrValue ├── pubAIK ├── refLog └── test-script.sh └── verify.sh /.codeclimate.yml: -------------------------------------------------------------------------------- 1 | engines: 2 | shellcheck: 3 | enabled: true 4 | ratings: 5 | paths: 6 | - "**.sh" 7 | -------------------------------------------------------------------------------- /.github/issue_template.md: -------------------------------------------------------------------------------- 1 | Please kindly fill out the following information! 2 | 3 | ### Linux distribution and version 4 | 5 | ### TPM 1.2 model and version 6 | 7 | ### Expected behaviour 8 | 9 | ### Actual behaviour 10 | 11 | ### Steps to reproduce 12 | -------------------------------------------------------------------------------- /.github/workflows/action.yaml: -------------------------------------------------------------------------------- 1 | name: action 2 | on: [push, pull_request] 3 | 4 | jobs: 5 | job1: 6 | runs-on: [ubuntu-latest] 7 | steps: 8 | - uses: actions/setup-python@v1 9 | - uses: actions/checkout@v2 10 | - name: Run 11 | shell: bash 12 | run: | 13 | docker build -t test . 14 | docker run test 15 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "tpm-quote-tools"] 2 | path = tpm-quote-tools 3 | url = git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools 4 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | LightVerifier Authors 2 | --------------------- 3 | 4 | Victor Sallard 5 | Adrian L. Shaw 6 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:jessie 2 | WORKDIR /testsite/ 3 | RUN apt-get -qq update 4 | RUN apt-get install -y -qq git make gcc netcat-traditional vim-common tpm-tools \ 5 | libtspi-dev git autoconf redis-server redis-tools 6 | COPY . /testsite/ 7 | RUN git submodule init && git submodule update 8 | RUN cd tpm-quote-tools && autoreconf -i 9 | RUN cd tpm-quote-tools && ./configure 10 | RUN cd tpm-quote-tools && make install 11 | ENTRYPOINT ["bash", "tests/test-script.sh"] 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LightVerifier [![Build Status](https://travis-ci.org/adrianlshaw/LightVerifier.svg?branch=master)](https://travis-ci.org/adrianlshaw/LightVerifier) 2 | 3 | LightVerifier is a small set of tools to remotely verify the integrity of Linux systems. 4 | In essence, it uses a computer’s Trusted Platform Module (TPM) and some Linux kernel features to track what programs execute, 5 | in such a way that the software on the machine cannot lie about what’s running. Through cryptography, a measurement list is 6 | signed by the TPM and checked against a database of known good software measurements. 7 | This is known as a hardware-based remote attestation. 8 | Therefore, unauthorised software modifications or execution can be detected. 9 | 10 | This project consists of a client (ra-agent) and server (verifier). 11 | **Important note**: 12 | This project currently only works with TPM 1.2, but 2.0 should be easy to incorporate. 13 | 14 | ```bash 15 | $ apt-get install tpm-quote-tools netcat-traditional tpm-tools redis-tools \ 16 | libtspi-dev autoconf make gcc 17 | ``` 18 | 19 | Once this depedency is installed on both client and server, 20 | you can start to install the LightVerifier tools. 21 | 22 | 23 | ## Setting up the verifier database 24 | 25 | Choose a trusted and secure server for deploying the verifier. 26 | Install the dependencies for Debian: 27 | 28 | ```bash 29 | $ apt-get install redis-server redis-tools debmirror parallel rpm2cpio 30 | ``` 31 | 32 | The measurementDB currently supports the creation of reference 33 | measurements for a few Linux distributions, including: 34 | 35 | * Debian 36 | * Ubuntu 37 | * CentOS 7 38 | 39 | It would be nice to support a few LTS distributions, including 40 | RH-like distributions like CentOS. Pull requests are welcome. 41 | 42 | You can then run the builder for the reference database 43 | (note: it could take a day to download packages from scratch): 44 | ```bash 45 | $ cd measurementDB && ./buildStore.sh 46 | ``` 47 | 48 | CVE reports for Debian are supported by LightVerifier. 49 | You can make the CVE updater run frequently (e.g. every hour): 50 | ```bash 51 | $ cp cve/* /etc/cron.hourly/ 52 | ``` 53 | 54 | **Optional**: you can replicate an existing measurementDB database to another 55 | verifier's Redis instance by performing the following instructions. 56 | 57 | In **/etc/redis/redis.conf** on the main server add the following line to allow 58 | replication on all interfaces: 59 | ``` 60 | bind 0.0.0.0 61 | ``` 62 | 63 | In **/etc/redis/redis.conf** on the new slave add the hostname and port of the 64 | master database, e.g.: 65 | 66 | ``` 67 | slaveof 6379 68 | ``` 69 | 70 | **Important note:** the database can only be set to one distro at a time. 71 | The current default is Debian. To change this to another distro, change the 72 | "DISTRO" variable in **downloadDeb.sh** and rerun the **buildstore.sh** script. 73 | 74 | ### Installing the remote attestation client 75 | 76 | If you haven't already, then enable the TPM in the BIOS of the device 77 | and then take ownership using **tpm_takeownership**. 78 | Then proceed to make the Attestation Identity Key (AIK) 79 | using the following commands from the included tpm-quote-tools package: 80 | 81 | ```bash 82 | $ tpm_mkuuid aik.uuid 83 | $ tpm_mkaik aik.blob aik.pub 84 | $ tpm_loadkey aik.blob aik.uuid 85 | ``` 86 | 87 | Make sure the verifier database has been deployed (see README in measurementDB 88 | directory) and then run the "register.sh" script on each machine that 89 | needs to be registered: 90 | 91 | ```bash 92 | $ ./register.sh 93 | ``` 94 | This will connect to the verifier database and record the necessary machine 95 | information (DNS hostname, AIK public cert, the corresponding hash, 96 | and the boot aggregate digest). 97 | **Importantly**, you must register before installing the IMA policy. 98 | Note, that when you run the verify script in the next section, you should use 99 | the hostname rather than the IP address. 100 | 101 | Finally, we can set up the required integrity measurement policy. 102 | The policy checks loaded executable files (programs, 103 | shared libraries and executable files). 104 | This should typically be written to ```/etc/ima/ima-policy```, 105 | but it depends on your platform. 106 | The systemd init system should load it automatically if it exists. 107 | 108 | ``` 109 | measure func=BPRM_CHECK 110 | measure func=FILE_MMAP mask=MAY_EXEC 111 | ``` 112 | This example policy is known as a binary attestation policy, but 113 | other types of policy are possible to some degree. 114 | 115 | ## Remote Attestation Scripts 116 | 117 | * verify.sh is the requester; its job is to fetch and analyse quotes and 118 | logs to attest that a platform is trustworthy. You can run it with: 119 | ```bash 120 | $ ./verify.sh 121 | ``` 122 | If successful, it will generate a file called report.log. 123 | 124 | * ra-agent.sh is run on the machine to be monitored; 125 | it waits for a request from the verifier and sends both the log and TPM quote. 126 | You can run it with: 127 | ```bash 128 | $ ./ra-agent.sh 10 129 | ``` 130 | 131 | ## How does it work 132 | 133 | The aim of the project is to use both binary attestation and CVE databases to 134 | evaluate trust for a given machine. 135 | 136 | There are two parties: 137 | * The **verifier** - this machine runs _verify.sh_ and contains the database 138 | * The **attestor** - this machine runs _ra-agent.sh_ and logs activity with IMA 139 | 140 | First, the verifier should build the database from the measurementDB. 141 | This will store the SHA-1 hash of every ELF file in the 142 | packages in a Redis database. We are working to add support 143 | for newer hash algorithms. 144 | 145 | Secondly, the machine to verify should have IMA running and launch **ra-agent.sh**. 146 | This script will then wait for a request from the verifier and a new 147 | instance will be created for each request. 148 | 149 | When the machine needs to be verified, the verifier sends a nonce/challenge for freshness. 150 | The sender will then create a quote (with the nonce used to prevent replay 151 | attacks) and sends it along with the IMA log (unencrypted) 152 | 153 | The verifier, using the IMA log, will recompute the value of the PCR for each 154 | entry, and will check if the quote contains that same value. Once the right line 155 | has been reached, the verifier stops and returns that the distant server is the 156 | right one (verified by the AIK) and that the log provided is 157 | correct up to that line. 158 | 159 | We can then use the database to check if the binaries that run on the machine 160 | are genuine, and we can also check their potential vulnerabilities with the 161 | CVE database. 162 | 163 | In the event of the verifier never reaching the line confirming the quote, 164 | the requester would deem the machine as untrustworthy, 165 | and simply stop the process. 166 | 167 | -------------------------------------------------------------------------------- /graph/autoIntegrity.py: -------------------------------------------------------------------------------- 1 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 2 | # 3 | # This program is free software: you can redistribute it and/or modify it under 4 | # the terms of the GNU General Public License, version 2, as published by the 5 | # Free Software Foundation. 6 | # 7 | # This program is distributed in the hope that it will be useful, but WITHOUT 8 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 9 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 10 | # License for more details. 11 | # 12 | # You should have received a copy of the GNU General Public License 13 | # along with this program.  If not, see . 14 | 15 | # Autoassigns integrity levels to nodes. 16 | # Needs one start node per integrity level (may not be optimal) 17 | 18 | import networkx as nx 19 | 20 | def applyIntegrity(graph, node, level): 21 | "Applies integrity to predecessors if of lower integrity" 22 | for pred in graph.predecessors(node): 23 | if nx.get_node_attributes(G,"integrity")[pred] > level: 24 | G.add_node(pred,integrity=level) 25 | if not pred in nx.get_node_attributes(G,"done"): 26 | applyIntegrity(graph, pred, level) 27 | else: 28 | G.add_node(pred,done=1) 29 | return 30 | 31 | G=nx.read_graphml("./data.graphml") 32 | 33 | for i in range(2): 34 | integrity=[] 35 | for n in nx.nodes(G): 36 | if nx.get_node_attributes(G,"integrity")[n] == i: 37 | integrity.append(n) 38 | for n in integrity: 39 | applyIntegrity(G,n,i) 40 | 41 | nx.write_graphml(G,"./data.graphml") 42 | -------------------------------------------------------------------------------- /graph/buildGraph.py: -------------------------------------------------------------------------------- 1 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 2 | # 3 | # This program is free software: you can redistribute it and/or modify it under 4 | # the terms of the GNU General Public License, version 2, as published by the 5 | # Free Software Foundation. 6 | # 7 | # This program is distributed in the hope that it will be useful, but WITHOUT 8 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 9 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 10 | # License for more details. 11 | # 12 | # You should have received a copy of the GNU General Public License 13 | # along with this program.  If not, see . 14 | 15 | import networkx as nx 16 | 17 | f = open('log','r') 18 | 19 | high_integrity=set(["system_u:system_r:kernel_t"]) 20 | medium_integrity=set(["root:sysadm_r:sysadm_t"]) 21 | 22 | integrity=[high_integrity,medium_integrity] 23 | 24 | G=nx.MultiDiGraph() 25 | f.readline() 26 | 27 | line=f.readline() 28 | 29 | count=2 30 | 31 | while line != '': 32 | security=line.split()[4].split("&") 33 | 34 | act=security[0].split("=")[1] 35 | subj=security[1].split("=")[1] 36 | obj=security[2].split("=")[1] 37 | 38 | lowest_level=len(integrity) 39 | 40 | G.add_node(subj,integrity=lowest_level,desc=subj) 41 | G.add_node(obj,integrity=lowest_level,desc=obj) 42 | 43 | for i in range(lowest_level): 44 | if subj in integrity[i]: 45 | G.add_node(subj,integrity=i) 46 | if obj in integrity[i]: 47 | G.add_node(obj,integrity=i) 48 | 49 | if obj != subj: 50 | if act == "w" or act == "a": 51 | if not G.has_edge(subj,obj): 52 | G.add_edge(subj,obj) 53 | if (nx.get_node_attributes(G,"integrity")[subj] > nx.get_node_attributes(G,"integrity")[obj]) or subj in nx.get_node_attributes(G,"dirty"): 54 | G.add_node(obj,dirty=count) 55 | if not G.has_edge(subj,obj): 56 | G.add_edge(subj,obj,dirty=count) 57 | 58 | elif act == "r": 59 | if not G.has_edge(obj,subj): 60 | G.add_edge(obj,subj) 61 | if (nx.get_node_attributes(G,"integrity")[obj] > nx.get_node_attributes(G,"integrity")[subj]) or obj in nx.get_node_attributes(G,"dirty"): 62 | G.add_node(subj,dirty=count) 63 | if not G.has_edge(obj,subj): 64 | G.add_edge(subj,obj,dirty=count) 65 | 66 | line=f.readline() 67 | 68 | count=count+1 69 | 70 | for deg in nx.degree(G): 71 | if nx.degree(G)[deg]==0: 72 | G.remove_node(deg) 73 | 74 | nx.write_graphml(G,"./data.graphml") 75 | -------------------------------------------------------------------------------- /lfp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Victor Sallard 18 | # Adrian L. Shaw 19 | # 20 | # LFP stands for Lightweight File Parser: it parses quotes (and logs !) files 21 | 22 | if [ $# -lt 3 ] 23 | then 24 | echo "Usage : lfp.sh pubaikhash quote logfile [input]" 25 | echo "If not specified, input will be read from STDIN" 26 | exit 1 27 | fi 28 | 29 | if [ $# -ge 4 -a -f "$4" ] 30 | then 31 | INPUT="$4" 32 | else 33 | INPUT="-" 34 | fi 35 | 36 | BUFFER=$(cat $INPUT) 37 | 38 | echo "$BUFFER" | awk '/##SHA1 pubAIK##/{flag=1;next}/##Base64 encoded quote##/{flag=0}flag' > $1 39 | echo "$BUFFER" | awk '/##Base64 encoded quote##/{flag2=1;next}/##IMA ASCII log file##/{flag2=0}flag2' | base64 -d > $2 40 | echo "$BUFFER" | awk '/##IMA ASCII log file##/{flag3=1;next}/END/{flag3=0}flag3' > $3 41 | 42 | exit 0 43 | -------------------------------------------------------------------------------- /lqr.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Victor Sallard 18 | # Adrian L. Shaw 19 | # 20 | # LQR stands for Lightweight Quote Requester 21 | 22 | # Function declarations 23 | make_term_red(){ 24 | RED='\033[0;31m' 25 | printf "${RED}" 26 | } 27 | 28 | make_term_green(){ 29 | GREEN='\033[0;32m' 30 | printf "${GREEN}" 31 | } 32 | 33 | make_term_blue(){ 34 | BLUE='\033[0;34m' 35 | printf "${BLUE}" 36 | } 37 | 38 | make_term_normal(){ 39 | NC='\033[0m' # No Color 40 | printf "${NC}" 41 | } 42 | 43 | check_log_corruption(){ 44 | echo "Sanity checking template entries" 45 | while read line; do 46 | FILE=$(mktemp) 47 | printf '\32\0\0\0' > $FILE 48 | printf "sha1:\0" >> $FILE # Alg + colon and nul byte 49 | echo $line | cut -d ' ' -f4 | cut -d ':' -f2 | xxd -r -p >> $FILE # File digest 50 | FILEPATHLEN=$(echo $line | cut -d ' ' -f5 | wc -c) 51 | printf "%08x" $FILEPATHLEN | tac -rs .. | xxd -r -p >> $FILE 52 | echo -n $line | cut -d ' ' -f5 | tr -d "\n" >> $FILE # File 53 | printf "\0" >> $FILE 54 | #echo "Comparing $(echo $line | cut -d ' ' -f2) with $(sha1sum $FILE)" 55 | EXPECTEDPCR=$(echo $line | cut -d ' ' -f2) 56 | CALCULATEDPCR=$(sha1sum $FILE | cut -d ' ' -f1) 57 | rm -f $FILE 58 | if [ "$EXPECTEDPCR" != "$CALCULATEDPCR" ]; then 59 | echo "Aborting. Template hash is incorrect on line $line" 60 | return 1 61 | fi 62 | done <$1 63 | return 0 64 | } 65 | 66 | if [ -z "$AIKDIR" ]; then 67 | echo "You haven't specified the AIKDIR shell variable." 68 | echo "Please set it to a writeable directory, e.g. export AIKDIR=/tmp/" 69 | exit 1 70 | fi 71 | 72 | TESTMODE=0 73 | START=$(date +%s%N) 74 | 75 | if [ $# -lt 2 ] 76 | then 77 | echo "Usage: lqr.sh " 78 | exit 1 79 | else 80 | if [ "$3" == "--testmode" ] 81 | then 82 | TESTMODE=1 83 | fi 84 | fi 85 | 86 | # Make the temporary files 87 | FILE=$(mktemp) 88 | QUOTE=$(mktemp) 89 | LOG=$(mktemp) 90 | AIK=$(mktemp) 91 | NEWHASH=$(mktemp) 92 | PUSH=$(mktemp) 93 | HASHCPY=$(mktemp) 94 | NONCE=$(mktemp) 95 | 96 | # Redis DB numbers 97 | REDIS_MEASUREMENTS=10 98 | REDIS_AIK=13 99 | REDIS_AIK_INFO=15 100 | 101 | # Get AIK from redis based on the hostname 102 | HASHAIK=$(redis-cli --raw -n $REDIS_AIK get "$1") 103 | 104 | if [ ! -d "$AIKDIR/$HASHAIK" ] 105 | then 106 | EXISTS=$(redis-cli --raw -n $REDIS_AIK_INFO exists "$HASHAIK") 107 | if [ $EXISTS -eq 1 ] 108 | then 109 | mkdir "$AIKDIR/$HASHAIK" 110 | else 111 | echo "This hostname isn't known to the verifier. Aborting..." 112 | exit 3 113 | fi 114 | fi 115 | 116 | # Check if files are already cached, otherwise get them from Redis 117 | if [ ! -f "$AIKDIR/$HASHAIK/refLog" ] 118 | then 119 | redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '0' | base64 -d > "$AIKDIR/$HASHAIK/refLog" 120 | fi 121 | 122 | if [ ! -f "$AIKDIR/$HASHAIK/hashPCR" ] 123 | then 124 | redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '1' | base64 -d > "$AIKDIR/$HASHAIK/hashPCR" 125 | fi 126 | 127 | if [ ! -f "$AIKDIR/$HASHAIK/pcrValue" ] 128 | then 129 | redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '2' | base64 -d > "$AIKDIR/$HASHAIK/pcrValue" 130 | fi 131 | 132 | if [ ! -f "$AIKDIR/$HASHAIK/pubAIK" ] 133 | then 134 | redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '3' | base64 -d > "$AIKDIR/$HASHAIK/pubAIK" 135 | fi 136 | 137 | # Throw an error if we don't have all the right information. 138 | expected=$(ls -l "$AIKDIR/$HASHAIK" | wc -l) 139 | if [ $expected -lt 4 ] 140 | then 141 | make_term_red 142 | echo "There seems to be some information missing about the machine" 143 | echo "Please check that the registration process was successful" 144 | make_term_normal 145 | exit 10 146 | fi 147 | 148 | # Get reference log line count + 1 149 | COUNT=$(cat "$AIKDIR/$HASHAIK/refLog" | wc -l) 150 | (( COUNT++ )) 151 | 152 | # Generate nonce 153 | if [ "$TESTMODE" -eq 1 ] 154 | then 155 | echo "WARNING: Test mode activated, the nonce is zero, and therefore insecure" 156 | dd if=/dev/zero bs=1 count=20 of=$NONCE 2>/dev/null 157 | else 158 | openssl rand 20 > $NONCE 159 | fi 160 | 161 | # Add the line number after the nonce to only get the new log part 162 | SEND=$(echo "$(cat $NONCE | base64) $COUNT") 163 | 164 | # Detect netcat version 165 | PARAM="" 166 | VERSION=$(dpkg-query -f '${binary:Package}\n' -W | grep netcat) 167 | echo $VERSION | grep traditional > /dev/null 168 | if [ $? -eq 1 ] 169 | then 170 | PARAM="-q 20" 171 | fi 172 | 173 | RETRY=5 174 | # Request the quote and the log file 175 | echo "$SEND" | nc.traditional $PARAM $1 $2 > $FILE 176 | 177 | while [ $? -ne 0 ] 178 | do 179 | if [ $RETRY -gt 0 ] 180 | then 181 | echo "Bad connection, retrying... ($(echo $RETRY) left)" 182 | RETRY=$((RETRY-1)) 183 | sleep $(echo 1.$RANDOM) 184 | echo "$SEND" | nc $PARAM $1 $2 > $FILE 185 | else 186 | echo "Connection failed! Aborting now..." 187 | exit 2 188 | fi 189 | done 190 | 191 | TRANSFER=$(date +%s%N) 192 | 193 | echo "Parsing quote" 194 | # Parse the file 195 | ./lfp.sh $AIK $QUOTE $LOG $FILE 196 | 197 | # Get received log line count 198 | END=$(wc -l $LOG | cut -d " " -f 1) 199 | 200 | TRUSTED=0 201 | cp "$AIKDIR/$HASHAIK/hashPCR" "$HASHCPY" 202 | 203 | PCRVALUE=$(cat "$AIKDIR/$HASHAIK/pcrValue") 204 | 205 | HASHSTART=$(date +%s%N) 206 | 207 | echo "10=$PCRVALUE" > $PUSH 208 | tpm_updatepcrhash $HASHCPY $PUSH $NEWHASH 209 | cp $NEWHASH $HASHCPY 210 | 211 | HASHEND=$(date +%s%N) 212 | QUOTESTART=$(date +%s%N) 213 | 214 | # We need to verify the quote at each entry and see if one fits 215 | # If the logs have the same size (may want to actually check the quote...) 216 | if [ $END -eq 0 ] 217 | then 218 | echo "AIKHASH: $(cat $AIKDIR/$HASHAIK/pubAIK | base64)" 219 | echo "" 220 | echo "NEWHASH: $(cat $NEWHASH | base64)" 221 | echo "" 222 | echo "NONCE: $(cat $NONCE | base64)" 223 | echo "" 224 | echo "QUOTE: $(cat $QUOTE | base64)" 225 | 226 | tpm_verifyquote "$AIKDIR/$HASHAIK/pubAIK" $NEWHASH $NONCE $QUOTE 2>/dev/null 227 | TPM_FAIL=$? 228 | if [ $TPM_FAIL -eq 0 ] 229 | then 230 | TRUSTED=1 231 | else 232 | if [ ! -s $QUOTE ] 233 | then 234 | echo "ERROR: remote party sent a response which didn't include a quote" 235 | fi 236 | echo "ERROR: tpm_verifyquote failed with $TPM_FAIL" 237 | exit 1 238 | fi 239 | fi 240 | 241 | RESULT=$(check_log_corruption $LOG) 242 | if [ $? -eq 1 ]; then 243 | echo "Log files are corrupt and have no integrity. Bailing." 244 | exit 2 245 | else 246 | echo "Template entries verified" 247 | fi 248 | 249 | ITER=1 250 | while [ $ITER -le $END ] 251 | do 252 | 253 | LOGVALUE=$(sed "${ITER}q;d" $LOG | cut -d " " -f 2) 254 | NEWPCR=$(echo "$PCRVALUE$LOGVALUE" | xxd -r -p | sha1sum | cut -d " " -f 1) 255 | PCRVALUE=$(echo $NEWPCR | tr '[:lower:]' '[:upper:]') 256 | echo "10=$PCRVALUE" > $PUSH 257 | 258 | tpm_updatepcrhash $HASHCPY $PUSH $NEWHASH 259 | PCR_FAIL=$? 260 | if [ $PCR_FAIL -gt 0 ] 261 | then 262 | echo "ERROR: Something went wrong when updating the PCR value ($PCR_FAIL)." 263 | echo "File a bug on http://github.com/adrianlshaw/LightVerifier" 264 | exit 5 265 | fi 266 | 267 | cp $NEWHASH $HASHCPY 268 | 269 | tpm_verifyquote "$AIKDIR/$HASHAIK/pubAIK" $NEWHASH $NONCE $QUOTE 2>/dev/null 270 | 271 | if [ $? -eq 0 ] 272 | then 273 | TRUSTED=1 274 | cp $NEWHASH "$AIKDIR/$HASHAIK/hashPCR" 275 | cat "$AIKDIR/$HASHAIK/refLog" $LOG > $PUSH 276 | echo $PCRVALUE > "$AIKDIR/$HASHAIK/pcrValue" 277 | mv $PUSH "$AIKDIR/$HASHAIK/refLog" 278 | break 279 | fi 280 | (( ITER++ )) 281 | done 282 | 283 | # Assess situation 284 | if [ $TRUSTED -eq 0 ] 285 | then 286 | make_term_red 287 | echo "Bad configuration, system integrity is not guaranteed (maybe the machine rebooted, try again)" 288 | rm "$AIKDIR/$HASHAIK/hashPCR" 289 | rm "$AIKDIR/$HASHAIK/refLog" 290 | rm "$AIKDIR/$HASHAIK/pcrValue" 291 | make_term_normal 292 | exit 1 293 | fi 294 | 295 | QUOTEEND=$(date +%s%N) 296 | FORMATSTART=$(date +%s%N) 297 | 298 | make_term_blue 299 | echo "Machine's public AIK SHA1 hash:" 300 | echo $HASHAIK 301 | echo 302 | make_term_normal 303 | 304 | # This detects whether the template is IMA-NG or IMA-CONT-ID 305 | cat "$AIKDIR/$HASHAIK/refLog" | grep 'ima-ng' >/dev/null 306 | NGMODE=$? 307 | 308 | cat "$AIKDIR/$HASHAIK/refLog" | grep 'ima-cont-id ' >/dev/null 309 | CONTMODE=$? 310 | 311 | cat "$AIKDIR/$HASHAIK/refLog" | grep 'ima-cont-id-subj ' >/dev/null 312 | SUBJMODE=$? 313 | 314 | LIST=$(cat "$AIKDIR/$HASHAIK/refLog" | tail -n +2) 315 | 316 | if [ $NGMODE -eq 0 ] 317 | then 318 | CONTAINERLIST="ima-ng" 319 | else if [ $CONTMODE -eq 0 ] 320 | then 321 | CONTAINERLIST=$(echo "$LIST" | cut -d " " -f 4 | sort -u) 322 | 323 | else if [ $SUBJMODE -eq 0 ] 324 | then 325 | CONTAINERLIST=$(echo "$LIST" | cut -d " " -f 4 | sort -u) 326 | LIST=$(echo "$LIST" | grep 'ACT=*x*&') 327 | fi 328 | fi 329 | fi 330 | 331 | for container in $CONTAINERLIST 332 | do 333 | if [ $NGMODE -eq 0 ] 334 | then 335 | CONTENTRIES=$LIST 336 | else if [ $CONTMODE -eq 0 ] 337 | then 338 | CONTENTRIES=$(echo "$LIST" | awk '$4 == '"\"$(echo $container)\""' { print $0 }') 339 | else if [ $SUBJMODE -eq 0 ] 340 | then 341 | CONTENTRIES=$(echo "$LIST" | awk '$4 == '"\"$(echo $container)\""' { print $0 }') 342 | fi 343 | fi 344 | fi 345 | 346 | DBENTRIES=$(echo "$CONTENTRIES" | rev | cut -d " " -f 2 | rev \ 347 | | cut -d ":" -f 2 | xargs redis-cli --raw -n $REDIS_MEASUREMENTS mget | \ 348 | awk 'NF == 0 { print "@@@";next};{ print $0}') 349 | 350 | DBENT=$(echo "$DBENTRIES" | awk '$0 == "@@@" { next };{ print $0 }') 351 | ENTRYCOUNT=$(echo "$CONTENTRIES" | wc -l) 352 | VALIDCOUNT=$(echo "$DBENTRIES" | grep -c "@@@") 353 | VALIDCOUNT=$((ENTRYCOUNT-VALIDCOUNT)) 354 | 355 | make_term_green 356 | echo "Mount path ID: $(echo $container)" 357 | echo 358 | make_term_normal 359 | echo "$VALIDCOUNT/$ENTRYCOUNT binaries found in database" 360 | echo 361 | echo "List of binaries not in database:" 362 | 363 | # Change termcolor to red 364 | make_term_red 365 | 366 | # Print packages out 367 | NOTIN=$(paste <(echo "$DBENTRIES" ) <(echo "$CONTENTRIES" | rev | cut -d " " -f 1 | rev)) 368 | 369 | echo "$NOTIN" | grep @@@ | cut -f 2 370 | 371 | # Change termcolor to default colour 372 | make_term_normal 373 | 374 | PACKS=$(echo "$DBENT" | rev | cut -d "/" -f 1 | rev | \ 375 | cut -d "@" -f 2 | cut -d "_" -f 1,2 | sort -u) 376 | 377 | echo 378 | echo "List of detected vulnerable packages:" 379 | echo 380 | for packid in $PACKS 381 | do 382 | 383 | RESULT=$(redis-cli --raw -n 12 exists "$packid") 384 | if [ $RESULT -eq 1 ] 385 | then 386 | echo "Package name :" 387 | echo $packid 388 | echo "Severity of CVEs :" 389 | redis-cli --raw -n 12 smembers "$packid" 390 | echo 391 | fi 392 | done 393 | done 394 | 395 | FORMATEND=$(date +%s%N) 396 | 397 | FINISH=$(date +%s%N) 398 | echo 399 | 400 | echo "$END lines processed" 401 | 402 | echo 403 | 404 | echo "Download time : $(( ($TRANSFER - $START)/1000000 )) ms" 405 | echo "Processing time : $(( ($FINISH - $TRANSFER)/1000000 )) ms" 406 | 407 | echo "Hash time : $(( ($HASHEND - $HASHSTART)/1000000 )) ms" 408 | echo "Quote time : $(( ($QUOTEEND - $QUOTESTART)/1000000 )) ms" 409 | echo "Format time : $(( ($FORMATEND - $FORMATSTART)/1000000 )) ms" 410 | 411 | echo "Total time : $(( ($FINISH - $START)/1000000 )) ms" 412 | 413 | rm -rf $FILE $QUOTE $LOG $AIK $NEWHASH $PUSH $HASHCPY 414 | 415 | exit 0 416 | -------------------------------------------------------------------------------- /measurementDB/buildStore.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | 17 | ./downloadPkgs.sh 18 | 19 | ./storeHash.sh 20 | 21 | ./insertDB.sh 22 | -------------------------------------------------------------------------------- /measurementDB/cve/buildCVE.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | 17 | python vulnerable.py | sort -u | redis-cli -n 12 --pipe 18 | -------------------------------------------------------------------------------- /measurementDB/cve/vulnerable.py: -------------------------------------------------------------------------------- 1 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 2 | # 3 | # This program is free software: you can redistribute it and/or modify it under 4 | # the terms of the GNU General Public License, version 2, as published by the 5 | # Free Software Foundation. 6 | # 7 | # This program is distributed in the hope that it will be useful, but WITHOUT 8 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 9 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 10 | # License for more details. 11 | # 12 | # You should have received a copy of the GNU General Public License 13 | # along with this program.  If not, see . 14 | 15 | # This python script will get the latest CVE list from Debian and parse it to find vulnerable versions of packages 16 | # These versions will be referenced in the Redis database containing the versions of packages already stored for trusted purposes 17 | 18 | # Import json 19 | import json 20 | # Import urllib2 to download the file 21 | import urllib2 22 | 23 | # Download the file 24 | response = urllib2.urlopen('https://security-tracker.debian.org/tracker/data/json') 25 | 26 | # Load and parse the data in memory 27 | data = json.load(response) 28 | 29 | # for each package_version listed in the CVE file, print its vulnerabilities 30 | for package in data.keys(): 31 | for cve in data[package].keys(): 32 | for release in data[package][cve]['releases'].keys(): 33 | if data[package][cve]['releases'][release]['status']=='resolved': 34 | print " SADD " + "\"" + package + "_" + data[package][cve]['releases'][release]['fixed_version'] + "\" \"" + cve + "_" + data[package][cve]['releases'][release]['urgency'] + "\"\r\n\n" 35 | else: 36 | for repos in data[package][cve]['releases'][release]['repositories'].keys(): 37 | print " SADD " + "\"" + package + "_" + data[package][cve]['releases'][release]['repositories'][repos] + "\" \"" + cve + "_" + data[package][cve]['releases'][release]['urgency'] + "\"\r\n\n" 38 | -------------------------------------------------------------------------------- /measurementDB/downloadPkgs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Victor Sallard 18 | # Adrian L. Shaw 19 | # 20 | 21 | # Debian-based distributions 22 | DEBIAN="rsync://ftp.uk.debian.org/debian/" 23 | UBUNTU="rsync://archive.ubuntu.com/ubuntu/" 24 | 25 | # RPM-based distributions, with an example mirror 26 | CENTOS7="rsync://anorien.csc.warwick.ac.uk/CentOS/7/" 27 | 28 | # Default distro to sync is Debian 29 | DISTRO=$DEBIAN 30 | 31 | rsync --archive --itemize-changes --compress --ignore-existing \ 32 | --include="*/" \ 33 | --include="*noarch*" \ 34 | --include="*i386.deb" \ 35 | --include="*amd64.deb*" \ 36 | --include="*x86-64.rpm*" \ 37 | --include="*x86_64.rpm*" \ 38 | --exclude "*" \ 39 | $DISTRO ./packages | egrep '^>' | cut -d " " -f 2 >> scan_files 40 | 41 | # Sort the files to be hashed 42 | sort -u scan_files > scn 43 | mv scn scan_files 44 | -------------------------------------------------------------------------------- /measurementDB/insertDB.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Victor Sallard 18 | # Adrian L. Shaw 19 | # 20 | # grep cleans all empty string entries 21 | # awk #1 puts SET in front of the data 22 | # awk #2 formats in Redis protocol 23 | # pipe sends data to Redis 24 | 25 | PACK=$(mktemp -p ./) 26 | VER=$(mktemp -p ./) 27 | LIST=$(mktemp -p ./) 28 | 29 | # Don't insert null hashes into the database 30 | grep --invert-match "da39a3ee5e6b4b0d3255bfef95601890afd80709" ./shaLog > $LIST 31 | 32 | cat $LIST | cut -d " " -f 3 | cut -d "@" -f 2 | cut -d "_" -f 1 > $PACK 33 | cat $LIST | cut -d " " -f 3 | cut -d "@" -f 2 | cut -d "_" -f 2 > $VER 34 | 35 | echo "Inserting hashes..." 36 | 37 | cat $LIST | awk '{print "SET","\""$1"\"","\""$2"\""}' | awk '{printf "%s\r\n", $0}' | redis-cli -n 10 --pipe 38 | 39 | echo "Inserting packages and versions..." 40 | 41 | paste $PACK $VER | awk '{print "SADD","\""$1"\"","\""$2"\""}' | awk '{printf "%s\r\n", $0}' | redis-cli -n 11 --pipe 42 | 43 | rm $PACK 44 | rm $VER 45 | rm $LIST 46 | 47 | rm ./shaLog 48 | 49 | -------------------------------------------------------------------------------- /measurementDB/storeHash.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 3 | # 4 | # This program is free software: you can redistribute it and/or modify it under 5 | # the terms of the GNU General Public License, version 2, as published by the 6 | # Free Software Foundation. 7 | # 8 | # This program is distributed in the hope that it will be useful, but WITHOUT 9 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 10 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 11 | # License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program.  If not, see . 15 | # 16 | # Authors: Victor Sallard 17 | # Adrian L. Shaw 18 | # 19 | # This script will find DEB and RPM packages, unpack them, 20 | # hash the executables and store the hashes in a file called shaLog. 21 | # It will also keep track of the already hashed packages 22 | # and store their name in a file 23 | 24 | computeHash(){ 25 | TEMP=$(mktemp -d --tmpdir=./$TDIR) 26 | # If not a Debian package then try RPM 27 | #>&2 echo "Currently in $PWD, going to copy ../packages/$1, heading to $PWD/$TEMP" 28 | dpkg -x ../packages/$1 $TEMP >/dev/null 2>&1 || cd $PWD/$TEMP && rpm2cpio ../../packages/$1 | cpio -idm >/dev/null 2>&1 29 | if [ $? -gt 0 ]; 30 | then 31 | >&2 echo "$1 failed" > ../../pkgs.failed 32 | exit 1 33 | else 34 | >&2 echo "$1 succeeded" 35 | fi 36 | cd $TEMP >/dev/null 2>&1 37 | find ./ -type f ! -empty | sed '/^\s*$/d' | xargs file | egrep -i "ELF|script" | \ 38 | cut -d ":" -f 1 | xargs sha1sum | sed "s/$/@$(basename $1 | sed -e 's/[\/&]/\\&/g')/g" 39 | cd .. 40 | rm -rf $TEMP 41 | exit 0 42 | } 43 | 44 | export -f computeHash 45 | 46 | TDIR=$(mktemp -d --tmpdir=./) 47 | touch scan_files 48 | cd $TDIR 49 | cat ../scan_files | parallel computeHash {} >> ../shaLog 50 | 51 | rm ../scan_files 52 | 53 | sort -u ../shaLog > shlg 54 | mv shlg ../shaLog 55 | cd .. 56 | rm -rf $TDIR 57 | -------------------------------------------------------------------------------- /ra-agent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Victor Sallard 18 | # Adrian L. Shaw 19 | # 20 | 21 | trap exitIt INT 22 | 23 | TESTMODE=0 24 | RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements" 25 | TPM_ACTIVE=$(cat /sys/class/tpm/tpm0/active 2>/dev/null) 26 | 27 | # If test mode is activated, then we assume there is no IMA or TPM 28 | if [ "$2" == "--testmode" ] 29 | then 30 | echo "WARNING: Test mode enabled" 31 | TESTMODE=1 32 | fi 33 | 34 | if [[ "$TPM_ACTIVE" == "0" && -z $TESTMODE ]] 35 | then 36 | echo "ERROR: TPM has not been turned on, please enable it in your BIOS. Exiting." 37 | exit 3 38 | fi 39 | 40 | if [[ ! -r $RUNTIME_MEASUREMENTS && -z $TESTMODE ]] 41 | then 42 | echo "ERROR: Cannot read the boot and runtime log at $RUNTIME_MEASUREMENTS. Exiting." 43 | exit 2 44 | fi 45 | 46 | if [ $# -lt 4 ] 47 | then 48 | echo "Usage: ra-agent.sh " 49 | exit 1 50 | fi 51 | 52 | 53 | PGID=$(ps -o pgid= $$ | grep -o '[0-9]*') 54 | PAIK=$1 55 | UUID=$2 56 | PORT=$3 57 | shift 58 | shift 59 | shift 60 | PCRS="$@" 61 | 62 | exitIt(){ 63 | # Some temporary files may remain... 64 | kill -- -$PGID 65 | exit 0 66 | } 67 | 68 | mainRun(){ 69 | # Store parameters 70 | PAIK=$1 71 | UUID=$2 72 | PORT=$3 73 | shift 74 | shift 75 | shift 76 | PCRS="$@" 77 | 78 | # Detect netcat version 79 | PARAM="" 80 | VERSION=$(dpkg-query -f '${binary:Package}\n' -W | grep netcat) 81 | echo $VERSION | grep traditional > /dev/null 82 | if [ $? -eq 0 ] 83 | then 84 | PARAM="-p" 85 | fi 86 | 87 | # Create temporary files 88 | FIFO=$(mktemp -u) 89 | mkfifo $FIFO 90 | FILE=$(mktemp) 91 | NONCE=$(mktemp) 92 | QUOTE=$(mktemp) 93 | OUTFILE=$(mktemp) 94 | 95 | # Open netcat connection for listening 96 | cat $FIFO | nc -q 0 -l $PARAM $PORT > $FILE & 97 | echo "Waiting for connection..." 98 | while ! [ -s $FILE ] 99 | do 100 | sleep 0.1 101 | done 102 | echo "Connected" 103 | 104 | # Spawn a new instance for the next connection 105 | mainRun $PAIK $UUID $PORT $PCRS & 106 | 107 | # BASE64 decode nonce and store 108 | cat $FILE | cut -d " " -f 1 | base64 -d > $NONCE 109 | 110 | # Store line count for diff transfer 111 | LINE=$(cat $FILE | cut -d " " -f 2) 112 | 113 | # Compute the quote with received nonce, but only after everyone 114 | # has finished with tpm_getquote. 115 | # Mutex prevents parallel execution of tpm_getquote 116 | if [ "$TESTMODE" -eq 0 ] 117 | then 118 | echo "Computing quote..." 119 | flock /var/lock/tmp_quote_sender tpm_getquote $UUID $NONCE $QUOTE $PCRS 120 | echo "Done" 121 | 122 | echo "Formatting..." 123 | # Fetch IMA measurements 124 | IMA=$(tail -n +$LINE $RUNTIME_MEASUREMENTS) 125 | else 126 | # If we are running with the --testmode flag then we 127 | # assume that the verifier is also running with the --testmode flag. 128 | # Since there is no IMA or TPM in a CI service like Travis, then 129 | # we use TPM quotes we have prepared earlier... 130 | cp tests/client_tpm12_test_quote $QUOTE 131 | IMA=$(tail -n +$LINE tests/client_test_log) 132 | fi 133 | 134 | # Base64 encoding of the quote (to avoid getting stray EOF everywhere) 135 | B64=$(base64 $QUOTE) 136 | 137 | # Generate SHA1 of the public part of the AIK 138 | HASH=$(sha1sum $PAIK | cut -d " " -f 1) 139 | 140 | # Fancy formatting 141 | 142 | echo "##SHA1 pubAIK##" > $OUTFILE 143 | echo "$HASH" >> $OUTFILE 144 | echo "##Base64 encoded quote##" >> $OUTFILE 145 | echo "$B64" >> $OUTFILE 146 | echo "##IMA ASCII log file##" >> $OUTFILE 147 | echo "$IMA" >> $OUTFILE 148 | 149 | echo "Ready to send!" 150 | 151 | # Send the file through the pipe 152 | cat $OUTFILE > $FIFO 153 | 154 | # Cleanup 155 | rm $FIFO 156 | rm $FILE 157 | rm $NONCE 158 | rm $QUOTE 159 | rm $OUTFILE 160 | 161 | exit 0 162 | } 163 | 164 | mainRun $PAIK $UUID $PORT $PCRS & 165 | echo "Ctrl+C will stop the script" 166 | while true; do sleep 60; done 167 | -------------------------------------------------------------------------------- /read-registration.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # (c) Copyright 2018 Adrian L. Shaw 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | 17 | if [ $# -eq 0 ]; then 18 | echo "Usage:" 19 | echo " read_registration " 20 | echo " read_registration all" 21 | exit 1; 22 | fi 23 | 24 | REDIS_AIK_INFO=15 25 | REDIS_AIK_DB=13 26 | 27 | print_host() { 28 | echo "| Host | $1" 29 | HASHAIK=$(redis-cli --raw -n $REDIS_AIK_DB get "$1") 30 | echo "| AIK hash | $HASHAIK" 31 | echo "| Boot aggr | $(redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '0' | base64 -d)" 32 | echo "| PCR10 | $(redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '2' | base64 -d)" 33 | echo "| Reflog | (base64) $(redis-cli --raw -n $REDIS_AIK_INFO LINDEX "$HASHAIK" '1')" 34 | echo "-------------" 35 | } 36 | 37 | if [ "$1" == "all" ]; 38 | then 39 | redis-cli --raw -n 13 keys "*" | while read line ; do print_host "$line" ; done 40 | else 41 | print_host "$1" 42 | fi 43 | 44 | -------------------------------------------------------------------------------- /register.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Adrian L. Shaw 18 | 19 | if [ $# -lt 3 ] 20 | then 21 | echo "Usage: register " 22 | exit 1 23 | fi 24 | 25 | if [[ $EUID -ne 0 ]]; then 26 | echo "This program needs access to privileged information.You must be a root user" 2>&1 27 | exit 1 28 | fi 29 | 30 | # Parameters 31 | AIKPUB=$1 32 | AIKUUID=$2 33 | VERIFIER=$3 34 | HOSTNAME=$(hostname) 35 | 36 | # Redis database number 37 | REDIS_DB_NUM=15 38 | TEMPDIR=$(mktemp -d) 39 | 40 | REFLOG=$(head --lines 1 /sys/kernel/security/ima/ascii_runtime_measurements | base64) 41 | if [[ -z "$REFLOG" ]] 42 | then 43 | echo $REFLOG 44 | echo "Could not read the IMA boot aggregate, aborting." 45 | echo "Is IMA and securityfs enabled?" 46 | exit 1 47 | fi 48 | 49 | TPM_ERROR=$(tpm_getpcrhash $AIKUUID $TEMPDIR/aik.pcrhash $TEMPDIR/aik.pcrval 10 2>&1 | grep Error) 50 | 51 | if [[ -n "$TPM_ERROR" ]] 52 | then 53 | echo "TPM error, aborting: $TPM_ERROR" 54 | exit 1 55 | fi 56 | 57 | PCRHASHBIN=$(cat $TEMPDIR/aik.pcrhash | base64) 58 | PCRHASHASCII=$(cat $TEMPDIR/aik.pcrval | cut -d '=' -f 2 | base64) 59 | 60 | PUBAIKHASH=$(sha1sum $AIKPUB | cut -d ' ' -f 1) 61 | ENCPUBAIK=$(cat $AIKPUB | base64) 62 | 63 | echo "PUBAIKHASH is $PUBAIKHASH" 64 | echo "REFLOG is $REFLOG" 65 | echo "PCRHASHBIN is $PCRHASHBIN" 66 | echo "PCRHASHASCII is $PCRHASHASCII" 67 | 68 | # Register hostname-to-AIK mapping 69 | redis-cli -h $VERIFIER -n 13 set "$HOSTNAME" "$PUBAIKHASH" 70 | 71 | # Delete existing host information 72 | redis-cli -h $VERIFIER -n $REDIS_DB_NUM del "$PUBAIKHASH" 73 | 74 | # Put the host information in the DB 75 | redis-cli -h $VERIFIER -n $REDIS_DB_NUM RPUSH "$PUBAIKHASH" "$REFLOG" 76 | redis-cli -h $VERIFIER -n $REDIS_DB_NUM RPUSH "$PUBAIKHASH" "$PCRHASHBIN" 77 | redis-cli -h $VERIFIER -n $REDIS_DB_NUM RPUSH "$PUBAIKHASH" "$PCRHASHASCII" 78 | redis-cli -h $VERIFIER -n $REDIS_DB_NUM RPUSH "$PUBAIKHASH" "$ENCPUBAIK" 79 | 80 | rm -r $TEMPDIR 81 | echo "Registered $HOSTNAME" 82 | -------------------------------------------------------------------------------- /tests/client_test_log: -------------------------------------------------------------------------------- 1 | 10 ce8bf411a3b35fcfb451722f14278edc36d1411f ima-ng sha1:b5250ea46f51b05225d3af2e4367e4f1d077fc0f boot_aggregate 2 | 10 2ae395c52aafbc03d4c6254a139b30a741722ba7 ima-ng sha1:5895956e1e9b8a22ce645b9bb5f0a536980386c6 /sbin/ifconfig 3 | 10 982c6e4e1b56de9e22615d8ae96093d75f3785ca ima-ng sha1:d1a97fb5951fb8d09db874ae08fbbe80e6c787b3 /lib/x86_64-linux-gnu/ld-2.19.so 4 | 10 9e3df0ac9e286402ef126989e8b667858e173695 ima-ng sha1:11feceb0969f6893c30af94ef3472b61ad47e43c /lib/x86_64-linux-gnu/libc-2.19.so 5 | 10 e772d24ddd3d40c8be203c5c13c601bc232b88f2 ima-ng sha1:571beb096cb45c09f2a79a0dc17141e3f2dbf5cf /home/labs/LightVerifier/ra-agent.sh 6 | 10 4c61f8ac9daeeffe0222f4e6f095f53b62fa27d2 ima-ng sha1:f8c776c16bc38940f4bb3b8083fa576ef1cba4bd /bin/bash 7 | 10 a1b866d106012bb10f9039d33e259560b5bd0823 ima-ng sha1:bd15d1d96411a7db1eb5ccc107ed4b26628a31af /lib/x86_64-linux-gnu/libncurses.so.5.9 8 | 10 661a33e4d135572ecc8f40d3d12462bfd885abd2 ima-ng sha1:c802be83b07b629afab7fac3e44d08ef412e02fc /lib/x86_64-linux-gnu/libtinfo.so.5.9 9 | 10 f787c21d5ea7e2846471783e205066535d5f7bb7 ima-ng sha1:3f69da0ae617e7b548bb60e2c2c23bbb3b283ba2 /lib/x86_64-linux-gnu/libdl-2.19.so 10 | 10 71592bddd2a461a7a80a3c370222ba03832c5720 ima-ng sha1:011375eabc4e91b9bf14c696b19fe0b737130591 /bin/ps 11 | 10 fa42e4772b128f33c5cc6412034b0c8c8b19369a ima-ng sha1:620bfeeab8eef65f57c3ffd15945ee4363f5e4b9 /bin/grep 12 | 10 66ef53a36eef8e9404fa54353b1b8f92ba883354 ima-ng sha1:c157bfbb9deb4fe2224896780a30b92c205df298 /lib/x86_64-linux-gnu/libprocps.so.3.0.0 13 | 10 4084bc487bcf892cf696dc22d27acc15ab72b289 ima-ng sha1:13db4ec4420a892b729cbd4cce91e071cbd34a55 /lib/x86_64-linux-gnu/libpcre.so.3.13.1 14 | 10 f650449a6d432cf7dc3db5bc88bcf1201cbf7b01 ima-ng sha1:4e22b05a7b88be403263180fc8621a9903182106 /lib/x86_64-linux-gnu/libpthread-2.19.so 15 | 10 c83f30900de520df63bfa0d6988e043482eb2e96 ima-ng sha1:f04d7781fb704bc76ea1b05563bb579fde8bb815 /bin/sleep 16 | 10 776c1b9ecd917e5dae7264e9f1a888f314b7f8aa ima-ng sha1:813e5d431d9c7fd20f86aac05b6a564d543782bc /usr/bin/dpkg-query 17 | 10 44cd8115ade91904cc8a1ae5c1738ff4aa042767 ima-ng sha1:3a372d470e62f8d927bb42bb3e86dae892a7b745 /bin/mktemp 18 | 10 00fc854ebc35338cb240d43b9e05e75fa5e00172 ima-ng sha1:7e797e73e45376a514814c92e825b7f5766001c0 /usr/bin/mkfifo 19 | 10 7796fd58ded3d0f8221df9b496c8ea58702c2c3f ima-ng sha1:0d1173b69de0502541406d2c0771c1fbe8ea685b /lib/x86_64-linux-gnu/libselinux.so.1 20 | 10 9cd114d05ac38f6a074efe7ac333de82467ad90f ima-ng sha1:482f31e001dcf9dd8833b86f1cabea107288e8ef /bin/cat 21 | 10 3c6ba4c8ef9ec4ff206ae1950b941121913e342d ima-ng sha1:e1187bca851347f7cff9ffc829bdfd85605dadd8 /bin/nc.traditional 22 | 10 b9ba8714db13e0a25679dde3bf08887ab370afe7 ima-ng sha1:6ba95d11cad4cc5c91f32fb19291325b60b2e1ba /lib/x86_64-linux-gnu/libnss_files-2.19.so 23 | 10 b6e1f1f938a960cd9aec17a2916b5a067cd9f82c ima-ng sha1:8349dce241017bb4fbb8ea7174feba6cc0977b83 /home/labs/LightVerifier/lqr.sh 24 | 10 22379b5c917368331c9ac4a3b72e3569c64d9a59 ima-ng sha1:fa11dd5b81ea87a769f5d31a3a182d30826b9cd8 /bin/mkdir 25 | 10 1f76e07d234014901be8c6c6a9ea995fb419a7da ima-ng sha1:d3f1e0c2c95b9ec0b0392f6cb026fabae48d6418 /bin/date 26 | 10 1764c0e33bf5ee790d40e77d18fa76ed34ade942 ima-ng sha1:24283d4e02c727e229244810c61f20fde4f718cc /usr/bin/redis-cli 27 | 10 5554e1d222fef31deaf76520d068375afb85597f ima-ng sha1:eded6755a930e5c893c9c53a48faeeffef165974 /lib/x86_64-linux-gnu/libm-2.19.so 28 | 10 fe34b41777a7dc76e62a65f1c59532a87ca54fe5 ima-ng sha1:b9713d0626c3c8866c42dd4019952cddbdc074c4 /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 29 | 10 2b863548ce2e45fa7e954c3d146cfee53dfadf76 ima-ng sha1:834a84d35a43e55d26a4be35ce54ef93dd69aa87 /usr/bin/base64 30 | 10 44ad3463631d45498cd08f581df96cadb9d91eca ima-ng sha1:58172e9ca6c98c976ab00d34aa32e901265f77e7 /bin/ls 31 | 10 088d093ac437cc5eeee7d94b8477c72d8455097d ima-ng sha1:b1377b155100e059da4faf6bb391b032d4e6ed17 /usr/bin/wc 32 | 10 1149b9921b8f92badd80d120a171bf8153be4375 ima-ng sha1:b83050fc0c6eb326a3d863098158bd202799053d /lib/x86_64-linux-gnu/libacl.so.1.1.0 33 | 10 e1ce959225380802cb147b2dbbc7d0a8f9e6ec15 ima-ng sha1:0a7a430c71904472cb2bba6bc6b6e83b2df69b90 /lib/x86_64-linux-gnu/libattr.so.1.1.0 34 | 10 dd13bf5975b7af15317d27cf6934cf7d52cc3696 ima-ng sha1:355e7cf440806f261e8ee3ddc23199787ad6dbc2 /lib/x86_64-linux-gnu/libnss_compat-2.19.so 35 | 10 231a88d39a5842d9d7384b13d7c28e873fffb6eb ima-ng sha1:ad7e3b9ed99fa64b7b31cb696f87f6f2a01b3034 /lib/x86_64-linux-gnu/libnsl-2.19.so 36 | 10 321c262119e350b132f936a3b3bce28699cd6f13 ima-ng sha1:9dad20918d8d730eee30c4f629414985d0bef7e2 /lib/x86_64-linux-gnu/libnss_nis-2.19.so 37 | 10 222c1575c94c29d4825771c5fbea36650e2af05e ima-ng sha1:2d9b71b7161c861e5a0f83e8f4d0b35e813bc8c3 /usr/bin/openssl 38 | 10 1097fbad275beb6bfda956081a6e8d44ba5ebf79 ima-ng sha1:5f5a28aadb5df06cd6e6b2782c5d63fc4a5f4858 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 39 | 10 eff36e202624021221c2fec3e876140bb976d65b ima-ng sha1:482c0ea4c59bdc9834ab9bd16dae8b5d4efd78e1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 40 | 10 eff91d6c5a1d07a7335794e75888cd34faf4382b ima-ng sha1:149b120628f5eec67b1f3e2f1f10ab17130c2370 /usr/bin/cut 41 | 10 0ebd26181ff384a09e5e9e3d74b80a8a452a52dc ima-ng sha1:2d799f333b263e6d6c65089fc01bcba6aac4f8b2 /usr/bin/flock 42 | 10 33f1bd4bf79cba8cce2b6e19285480b307e32b57 ima-ng sha1:fdd918a53999a5cbe6d11f4bd38bd5a13e7ef225 /usr/local/bin/tpm_getquote 43 | 10 42c3ebcc8baff0aa5ee32ce3e275ee9161ed890f ima-ng sha1:7372e1b8685cf45bb36b02ed52df27092a9bfd01 /usr/lib/x86_64-linux-gnu/libtspi.so.1.2.0 44 | 10 15884b1dc662940d8c29a8ad93998bca154c7cd8 ima-ng sha1:113b42b910b87b10e7734538530091957462c45d /bin/kmod 45 | 10 f3b546d2f76379e88bb445531629c47d2a5c6fa0 ima-ng sha1:8143e6d962993c6f80f30f462c67584062e52f65 /usr/bin/tail 46 | 10 edaa3e2576d47a15e88a2ee1f992497283725bfb ima-ng sha1:666a8bfde51372405a850aac9cd4cae54839d9dd /usr/bin/sha1sum 47 | 10 91984d4d525320cef9f0dda3764a736a8925d448 ima-ng sha1:884818cc31915c10a784e98d334fc2e83a5e8d20 /bin/rm 48 | 10 cd7b8b05b323596a8fc30e6e283cafa8b0180630 ima-ng sha1:7e29da1b723658c1b6c1536bc194b0df26e18b15 /home/labs/LightVerifier/lfp.sh 49 | 10 6b19b0f39a353f3162ff1976a334b71a8b3c3588 ima-ng sha1:2dd8a9d9bb33ebffccb2ff516497adc8535bcab4 /bin/dash 50 | 10 6542218473d718dc89968e5409672ac025f0c2fc ima-ng sha1:597161f1f35f1c2877331ea14c5e250b18822c36 /usr/bin/gawk 51 | 10 8f85489fb9424eed72f14c7274837ac925c41339 ima-ng sha1:747fabd331e159370c88c247978cfe3906da7a7a /usr/lib/x86_64-linux-gnu/libsigsegv.so.2.0.3 52 | 10 1b0b90b8be09ce6ef9951eed19244a80dc771161 ima-ng sha1:deb34a73cce4448301a0682eeefd93d6bf0084d5 /lib/x86_64-linux-gnu/libreadline.so.6.3 53 | 10 af2843e151e87f003c5815c50e3248dfa668ad20 ima-ng sha1:6fe7048f21b4cca921cb33cdce49f94b3612cf41 /usr/lib/x86_64-linux-gnu/libmpfr.so.4.1.2 54 | 10 6aa92f911b63507b979d3849c5740a4bbce36b26 ima-ng sha1:5a65d308ebc82f31364daefaee0b8dce3ed0ec1e /usr/lib/x86_64-linux-gnu/libgmp.so.10.2.0 55 | 10 3decd98d99ed50e5ea53c6ed7721611b609a40e3 ima-ng sha1:e1958bc75d15f06fdde889d2a63bd9faad7545ca /bin/cp 56 | 10 6c2b1582bed2d7c611ac7f9094988e396c9accd6 ima-ng sha1:3f6c595669ba0d67421dcf4881dbeec6700a7bd1 /usr/local/bin/tpm_updatepcrhash 57 | 10 9fa0384b8d68f81074ab675002d7b45ef4597e7f ima-ng sha1:35d8692d4a5bd5e4c959a0d5fd49a0b833cfca41 /bin/sed 58 | 10 f7fc80a5a7b9d72287ab6844d128babda912dbf3 ima-ng sha1:a546ba8c53cfdd9fa18ed2b8fcc3c4ab3ca52cf2 /usr/bin/xxd 59 | 10 40b460bfbebfb8564109a27659d6f66a6014562a ima-ng sha1:ed0d3b05e62d2336d587420f348c4a84c5267d01 /usr/bin/tr 60 | 10 e7a4e828d8b4d53cad4ce4ac96f2fdd72101c26d ima-ng sha1:d901fafe7921d6db96cba659d03609fb4e2760d9 /usr/local/bin/tpm_verifyquote 61 | 10 44da141351c48c0cf4f018391ea5b42c1f7cea0e ima-ng sha1:8a6f60045f7b972d0446c540f14620fddf6c1588 /bin/mv 62 | 10 e9ca7f4dba1e75e3e5e90204b9912b9441e60458 ima-ng sha1:d322f172684dccea660f8d482de2085763b42123 /usr/bin/rev 63 | 10 07f0855db786de4cfdedfc738584922b8a1e0c00 ima-ng sha1:af9e65ba9c04af0350782aba110a94e7fd77f793 /usr/bin/xargs 64 | 10 4c82d0224a30488ec026a25282bd310356ebe57c ima-ng sha1:ca6abc3efe3359e70f2920e17f3d3fdc7ee49ca3 /usr/bin/paste 65 | 10 41d5bd0e08b7b0ba3db8ee883aebf610f1117fa9 ima-ng sha1:c56fb6a5cf8c184e92ae9535d17209e10daaae55 /usr/bin/sort 66 | 10 632965b70bef714e59a2f30dbe1fb5c3cc823992 ima-ng sha1:bb167aacd3141549112cfbb58de68d7144d673a9 /lib/x86_64-linux-gnu/security/pam_unix.so 67 | 10 6a33e655f4089ad41612956f962d40f8a15967b5 ima-ng sha1:959563fbd75dc70357aa936d0b100c6ae0f281d1 /lib/x86_64-linux-gnu/libcrypt-2.19.so 68 | 10 58bab3153f77314aa9247ce0aa0e3e3fec09fd40 ima-ng sha1:076178ddaea1f4256ae6b4d436a17b5fb09f0b23 /lib/x86_64-linux-gnu/security/pam_deny.so 69 | 10 aee156f3341ced58605398fbb339df23f9c9fd11 ima-ng sha1:c5e4ccc56ea81453d9fcd4b18a02894c543b02c4 /lib/x86_64-linux-gnu/security/pam_permit.so 70 | 10 afb3b03b3c7329b1a0b5c3591b4a0cacb35cd660 ima-ng sha1:819e2cded4ebdfa659a58238cb111a96ced77d74 /lib/x86_64-linux-gnu/security/pam_loginuid.so 71 | 10 4117aaf6cf66e8022241e616450280aa426a07ef ima-ng sha1:c440922f5af4d0a8730f0a6e11c1e8cbf5f308eb /lib/x86_64-linux-gnu/security/pam_env.so 72 | 10 be993f113706b824dcdb25a7d94f7a22173cfa71 ima-ng sha1:d370c8d7202f8c7d623b64d95e96423602da3196 /lib/x86_64-linux-gnu/security/pam_limits.so 73 | 10 dde602508b1e7de80a9c8d54f211441baeff1f6a ima-ng sha1:c0ddeccb85cc7cc1aea6020a8df1c443b536cf09 /lib/security/pam_gnome_keyring.so 74 | 10 af1cf3d88f5cfa8aa2647267fc8f59e99aa85ff3 ima-ng sha1:4bd770e84b2183014867f5189b3619dc5e3fa2e3 /lib/x86_64-linux-gnu/security/pam_systemd.so 75 | 10 d9e104f420179650bdb98f057c436b3acc5f717c ima-ng sha1:cf67a5bbc98802ca96c55f8d414ccebfbc3e1153 /lib/x86_64-linux-gnu/libcap.so.2.24 76 | 10 6322001ef0a7d989513eb48c9d6f7a93c9866cbd ima-ng sha1:7a03d9914fa9bbe36e1fd37e0929d36991c65cf4 /lib/x86_64-linux-gnu/librt-2.19.so 77 | 10 9ec288458dbe10a0b0550ea6cac5230a40bfff1f ima-ng sha1:8a66e8de09c933d538cb781697a0e78216d25db6 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0 78 | 10 a06a478d8f85a5075ae9349942d60e471f3dae3c ima-ng sha1:1f343e93107e3adbe986159ae27b4ffe3c0f3c55 /usr/lib/php5/sessionclean 79 | 10 a04e7da498c7899e3501760dc7508896cbfc0d60 ima-ng sha1:e166a61a62bfb356ee95cf4206faebeb212d2912 /usr/bin/php5 80 | 10 c03e721396eed7e90af95c8a466008d7de2cc2ed ima-ng sha1:f3459f6983f5bf7089c78edfda134b8e44076878 /lib/x86_64-linux-gnu/libz.so.1.2.8 81 | 10 3a24e3eaf9907b0b40419fed970f3db8031bc73f ima-ng sha1:6a575a687c0ea117bf4165b9e4e5ed2d4c11b492 /lib/x86_64-linux-gnu/libresolv-2.19.so 82 | 10 7b9a17874c60d76dd44ccf149c2824a5b0801af4 ima-ng sha1:27e398178190730e5bbc659687a893ab00e95eff /usr/lib/x86_64-linux-gnu/libonig.so.2.0.1 83 | 10 23cc34d51febe54faf36832397274767b1911456 ima-ng sha1:df80585266cea41c76ea1702e1bfe2bfd1459004 /usr/lib/x86_64-linux-gnu/libdb-5.3.so 84 | 10 74117a4f0df4026e873a2084450caa85dd3ac12b ima-ng sha1:65905506c5a82caeb6a029c34de9ec23f4f5d0a0 /usr/lib/libqdbm.so.14.14.0 85 | 10 4b608a61ab60672f4d04d7eddea9da34871e6a9e ima-ng sha1:cf9408f82e966b9f686d5a21539b6baeb9efd65a /lib/x86_64-linux-gnu/libbz2.so.1.0.4 86 | 10 f0b80f01b90ae5ec95c63cf8ba6ef2de812c1e03 ima-ng sha1:bea84bb2548097cc8f49cff531befdefda71adcd /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1 87 | 10 3c7b9077235e67fba209277e440f3e1d7b3c0a05 ima-ng sha1:6b99a984d9cf878505749a0227c7427d0a4a6189 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2 88 | 10 ffd136e30138f228c806de8e22cb4c7ca3f78a04 ima-ng sha1:e70178fae2c82ea49e58a5222bfe6dfc064a512c /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 89 | 10 d4caea94498ebb6ed586a76f0dbf053abe545aa3 ima-ng sha1:1d8620f00588b87b76f9c6fa2b725769bd9afd89 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 90 | 10 ff4d5ccae591f2dabdd0fb4b2c6916a49be398de ima-ng sha1:9203e70bc6edb4dc1e51f601f3581ac6cb218e4d /lib/x86_64-linux-gnu/libcom_err.so.2.1 91 | 10 13d057ed04b177415499a2d1db91de5ed2ce0d6c ima-ng sha1:7253ec63aae4c623c24e83131985f6911660b83c /lib/x86_64-linux-gnu/liblzma.so.5.0.0 92 | 10 a02aac300239a95caeacb479b44962aa16338460 ima-ng sha1:ff52d21764c239967bc68a89468fd3a6dac284ba /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 93 | 10 6533416635bc6c9bdc7204c8dacdf81c83476268 ima-ng sha1:7f94df16644e9ca9bfbea43302b2c617932a0f01 /lib/x86_64-linux-gnu/libkeyutils.so.1.5 94 | 10 54a3d9bd87e07dae7ce93f755e735dbd49e4433f ima-ng sha1:0080c2f5f362fecfdd92805378a2e38fb4267bce /usr/lib/php5/20131226/opcache.so 95 | 10 27bdc0024232c7aa29d33bd213f70557568dec21 ima-ng sha1:3e3920770ebb20a79c345dfcacda29d4401c0ff0 /usr/lib/php5/20131226/pdo.so 96 | 10 915d24a0dae8db11e6694d65dfff91ea4ff21a49 ima-ng sha1:ceaed05830c4ec28aa82fcde9be91657bd928d0b /usr/lib/php5/20131226/json.so 97 | 10 eb61be9c84e7d7b6b8023219547120278dcd0732 ima-ng sha1:859c0bdf0b2f1efe3438d19ca5375dbf3940b8e4 /lib/x86_64-linux-gnu/libjson-c.so.2.0.0 98 | 10 5e4bb86b1f79f879ff93932ca2f90cf382632d0b ima-ng sha1:b87332b7251edd523c3e6ee498de6df21e06bfa9 /usr/lib/php5/20131226/readline.so 99 | 10 a68076270225543de3dc28984bb6a4640b23e410 ima-ng sha1:6ce77ab77c2919d83732f650779ce8fc62b3441b /usr/lib/x86_64-linux-gnu/libedit.so.2.0.51 100 | 10 3bafd47e4c01f01aca6f188a65e0e75150cd8fe7 ima-ng sha1:ebee2c5271b2a1c8e65b092d2a688b57ce2a8e72 /lib/x86_64-linux-gnu/libbsd.so.0.7.0 101 | 10 734e172bd50d5d94887669f7eaa7c697c1608787 ima-ng sha1:002ba97d12c77cb01d97e8603f2e09f74137a502 /sbin/killall5 102 | 10 ff442be48741985cba45a2f6e6e7df6d6daa6aec ima-ng sha1:0e664a5aecc48f058e5613a2bad4694c19ec573a /usr/bin/find 103 | 10 3edf60bb366ba8ba7e59215772ed7f2a9471037a ima-ng sha1:5dbe4f2c6d002e69c010d130b2948b9023c2b40e /bin/less 104 | 10 baaa29faa261f0d1c250161a8ad65d5064b77961 ima-ng sha1:453ccfc828c68932fc39a07f0a0dfd301e709ea6 /bin/systemd-tmpfiles 105 | 10 d006da7680f81a3eaac58027ddab0fff101c332b ima-ng sha1:0234dbb5f1f2d4b915fb1f73f1fba8faa578b29a /lib/systemd/systemd-cgroups-agent 106 | 10 942bf1024145069e88feae31fdfb39cf86c3f57f ima-ng sha1:e1fba25b0f30b5c037b1ac6ac65a5816c4e1d0fc /usr/bin/vim.basic 107 | 10 5e9f608a1d618f8925822dce9564985ec44f7d5c ima-ng sha1:1ca32791dea7f4294b312aed40e2087bd81c05f3 /usr/lib/x86_64-linux-gnu/libgpm.so.2 108 | 10 43f0001533a900af37f7d91dbbd670f1caf28f00 ima-ng sha1:442696026085d9a4a64ed81656a9ca25c39e1bf4 /usr/lib/x86_64-linux-gnu/gconv/ISO8859-1.so 109 | 10 649cd6f11b676601909bf5387f1864057421a1bc ima-ng sha1:a42b21f26b8201cffaa8b50cae98d9215b2721b6 /home/labs/LightVerifier/lqr.sh 110 | 10 346e25f38345df2dcc4ae4a83526e67c5880d802 ima-ng sha1:f73499e1abef92c273850c2a2609bcbc15b24209 /home/labs/LightVerifier/lqr.sh 111 | 10 a02d2f91501821fb2043270563659a95c1382050 ima-ng sha1:0869ecdc249e64458e4014a1ab1ea51edb0baa9b /home/labs/LightVerifier/lqr.sh 112 | 10 c9ea0debf490a46bb52540304c13b7e412cdf67b ima-ng sha1:c92c72009d4f24b46e69e18b6df0639b70871ceb /home/labs/LightVerifier/lqr.sh 113 | 10 873062b71e5d4b8f5de8ff58a68e03236c89915d ima-ng sha1:98ece09e5c3bb6398387b9b2efa688248f062186 /home/labs/LightVerifier/lqr.sh 114 | 10 459c97cd119f53516c67cb546d0651af7c3e86d6 ima-ng sha1:8a4980b9a03320e4b073ad1c1df1b52373d8afff /home/labs/LightVerifier/lqr.sh 115 | 10 3d3b8b78a3134dcf30b6eb4a24a41f3759880fac ima-ng sha1:c8d0328f735416c4ebf0959b03e69a9f7e7df140 /home/labs/LightVerifier/lqr.sh 116 | 10 380c0a0885336d2871ba02d28c3cfa3392c689f4 ima-ng sha1:1869ff75708e1d466f7f86c4cd1a41e8f3391c2c /home/labs/LightVerifier/lqr.sh 117 | 10 558df773c8b288e8ba239dd88b42aa1f49ef0281 ima-ng sha1:a79e1853ef1c11f43b8333ecdec4a228ae59acc7 /home/labs/LightVerifier/lqr.sh 118 | 10 9d5516db954bc48fd0a559dcac9db36d82e6b31c ima-ng sha1:25b014868954f54c42298edc80d080fa577fe7c3 /home/labs/LightVerifier/lqr.sh 119 | 10 147a3c74cd22fbcf78355cf099e3a2aaf70f7f0a ima-ng sha1:7b64461061267e62f70efdfd31c8060f5946e801 /bin/dd 120 | 10 1938cbb5276159844591a2a092dc020d42b978be ima-ng sha1:ac1b6c2b8dce23a708222da930f564231994f4f4 /usr/bin/git 121 | 10 f668511f798850a1ee54cc33766bc3d19f06f9c1 ima-ng sha1:ac1b6c2b8dce23a708222da930f564231994f4f4 /usr/lib/git-core/git 122 | 10 f3ec2110839dc1c34407d5c985f829b8f5ea0622 ima-ng sha1:706957e06674a2963dcc2f1dfaa6f2d416022c4d /bin/run-parts 123 | 10 fb0f9ab83d98ea10822349e0e1faa555040941f1 ima-ng sha1:7ff294f1c5517cb9bfc8deb8b13a950d47e5ffb3 /home/labs/LightVerifier/ra-agent.sh 124 | 10 af6ace3f16001019112450fc3b6cf57f86f7c6db ima-ng sha1:3309e0cda7088ec9f2a3a5599e18551b07c1ed47 /home/labs/LightVerifier/lqr.sh 125 | -------------------------------------------------------------------------------- /tests/client_tpm12_test_quote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adrianlshaw/LightVerifier/024cb01680b70d5db69c6828b232ba2c3e50cb7d/tests/client_tpm12_test_quote -------------------------------------------------------------------------------- /tests/hashPCR: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adrianlshaw/LightVerifier/024cb01680b70d5db69c6828b232ba2c3e50cb7d/tests/hashPCR -------------------------------------------------------------------------------- /tests/pcrValue: -------------------------------------------------------------------------------- 1 | 0D07AE4FC1EBC1204B48987DC5382E825F6E1B7F 2 | -------------------------------------------------------------------------------- /tests/pubAIK: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adrianlshaw/LightVerifier/024cb01680b70d5db69c6828b232ba2c3e50cb7d/tests/pubAIK -------------------------------------------------------------------------------- /tests/refLog: -------------------------------------------------------------------------------- 1 | 10 ce8bf411a3b35fcfb451722f14278edc36d1411f ima-ng sha1:b5250ea46f51b05225d3af2e4367e4f1d077fc0f boot_aggregate 2 | -------------------------------------------------------------------------------- /tests/test-script.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | service redis-server start 3 | pkill ra-agent 4 | pkill lqr.sh 5 | pkill nc.traditional 6 | pkill nc 7 | 8 | # Redis DB numbers 9 | REDIS_MEASUREMENTS=10 10 | REDIS_AIK=13 11 | REDIS_AIK_INFO=15 12 | 13 | HASHAIK="a7ca3d9fed8e1020770622d8bf2396274c608e78" 14 | 15 | # Since we can't host the entire database in the test environment, 16 | # then let's add two reference measurements to the database 17 | redis-cli -n $REDIS_MEASUREMENTS set "620bfeeab8eef65f57c3ffd15945ee4363f5e4b9" "/bin/grep" 18 | redis-cli -n $REDIS_MEASUREMENTS set "3309e0cda7088ec9f2a3a5599e18551b07c1ed47" "/home/labs/LightVerifier/lqr.sh" 19 | 20 | # Add "localhost" public AIK to to the trust store 21 | redis-cli --raw -n $REDIS_AIK set "localhost" "$HASHAIK" 22 | 23 | # Remove old information from the verifier 24 | redis-cli --raw -n $REDIS_AIK_INFO LTRIM "$HASHAIK" '-1' '0' 25 | redis-cli --raw -n $REDIS_AIK_INFO DEL "$HASHAIK" 26 | 27 | echo "Provisioning expected boot aggregate PCR and public AIK" 28 | redis-cli --raw -n $REDIS_AIK_INFO RPUSH "$HASHAIK" "$(cat tests/refLog | base64)" 29 | redis-cli --raw -n $REDIS_AIK_INFO RPUSH "$HASHAIK" "$(cat tests/hashPCR | base64)" 30 | redis-cli --raw -n $REDIS_AIK_INFO RPUSH "$HASHAIK" "$(cat tests/pcrValue | base64)" 31 | redis-cli --raw -n $REDIS_AIK_INFO RPUSH "$HASHAIK" "$(cat tests/pubAIK | base64)" 32 | 33 | echo "Starting agent and verification server" 34 | 35 | # Start the remote attestation agent 36 | ./ra-agent.sh tests/pubAIK --testmode 5000 10 & 37 | 38 | # Start the verification test 39 | AIKDIR=$PWD/tests ./lqr.sh localhost 5000 --testmode 40 | RESULT=$? 41 | 42 | # End test 43 | exit $RESULT 44 | -------------------------------------------------------------------------------- /verify.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # (c) Copyright 2016-2017 Hewlett Packard Enterprise Development LP 4 | # 5 | # This program is free software: you can redistribute it and/or modify it under 6 | # the terms of the GNU General Public License, version 2, as published by the 7 | # Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, but WITHOUT 10 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 | # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public 12 | # License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program.  If not, see . 16 | # 17 | # Authors: Victor Sallard 18 | # Adrian L. Shaw 19 | # 20 | 21 | # This is a wrapper to ease the use of the requester 22 | # $1 is the target, $2 is the port 23 | # AIKDIR specifies where the machine information is 24 | 25 | TTL=5 26 | export AIKDIR="./" 27 | 28 | if [ $# -lt 2 ] 29 | then 30 | echo "Usage: verify.sh " 31 | exit 1 32 | else 33 | if [ "$3" == "--testmode" ] 34 | then 35 | TESTMODE=1 36 | fi 37 | fi 38 | 39 | redis-cli ping >/dev/null 2>&1 || { echo >&2 "Redis CLI not installed. Aborting."; exit 1; } 40 | 41 | KNOWN=$(redis-cli --raw -n 13 exists "$1") 42 | if [ $KNOWN -eq 0 ] 43 | then 44 | # Generate nonce 45 | NONCE=$(openssl rand 20) 46 | 47 | # Add the line number after the nonce to only get the new log part 48 | SEND=$(echo $(echo $NONCE | base64) '1') 49 | 50 | # Detect netcat version 51 | PARAM="" 52 | VERSION=$(dpkg-query -f '${binary:Package}\n' -W | grep netcat) 53 | echo $VERSION | grep traditional > /dev/null 54 | if [ $? -eq 1 ] 55 | then 56 | PARAM="-q 20" 57 | fi 58 | # Request the pubAIK/quote/log file 59 | PUBAIK=$(echo $SEND | nc $PARAM $1 $2) 60 | 61 | if [ $? -ne 0 ] 62 | then 63 | echo "Connection error." 64 | exit 3 65 | fi 66 | 67 | PUBAIK=$(echo "$PUBAIK" | sed '2q;d') 68 | 69 | redis-cli --raw -n 13 set "$1" "$PUBAIK" >/dev/null 70 | else 71 | PUBAIK=$(redis-cli --raw -n 13 get "$1") 72 | fi 73 | 74 | if [ ! -d "$AIKDIR/$PUBAIK" ] 75 | then 76 | mkdir "$AIKDIR/$PUBAIK" 77 | fi 78 | 79 | EXISTS=$(redis-cli --raw -n 14 exists "$PUBAIK") 80 | if [ $EXISTS -eq 0 ] 81 | then 82 | flock /var/lock/tpm_request_$PUBAIK ./lqr.sh $1 $2 > $AIKDIR/$PUBAIK/report.log 83 | EXITCODE=$? 84 | 85 | if [ $EXITCODE -eq 2 ] 86 | then 87 | echo "Bad connection" 88 | exit 2 89 | else 90 | if [ $EXITCODE -eq 3 ] 91 | then 92 | echo "The machine is not known to the verifier. Did you register the machine?" 93 | echo "See the register.sh script." 94 | exit 3 95 | else 96 | if [ $EXITCODE -ne 0 ] 97 | then 98 | echo "The machine cannot be trusted (try again if machine rebooted)" 99 | exit 1 100 | fi 101 | fi 102 | fi 103 | 104 | echo >> $AIKDIR/$PUBAIK/report.log 105 | echo "Log generation time :" >> $AIKDIR/$PUBAIK/report.log 106 | date >> $AIKDIR/$PUBAIK/report.log 107 | echo "Log TTL :" >> $AIKDIR/$PUBAIK/report.log 108 | echo "$TTL" >> $AIKDIR/$PUBAIK/report.log 109 | 110 | # This will create an entry valid for $TTL seconds 111 | redis-cli --raw -n 14 set $PUBAIK TRUST EX $TTL >/dev/null 112 | fi 113 | 114 | STATS=$(tail -n 13 $AIKDIR/$PUBAIK/report.log | head -n 8) 115 | 116 | CSV=$(echo "$STATS" | head -n 1 | cut -d " " -f 1)","$(echo "$STATS" | tail -n +3 | cut -d " " -f 4 | paste -sd,) 117 | 118 | echo "$CSV" >> ./statistics.csv 119 | 120 | cat $AIKDIR/$PUBAIK/report.log 121 | 122 | exit 0 123 | --------------------------------------------------------------------------------