https://github.com/testifysec/go-ima

go-ima is a tool that checks if a file has been tampered with. It is useful in ensuring integrity in CI systems
https://github.com/testifysec/go-ima

Last synced: about 2 months ago
JSON representation

go-ima is a tool that checks if a file has been tampered with. It is useful in ensuring integrity in CI systems

• Host: GitHub
• URL: https://github.com/testifysec/go-ima
• Owner: testifysec
• License: mit
• Created: 2021-09-29T05:29:40.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2023-09-28T21:35:31.000Z (over 1 year ago)
• Last Synced: 2024-08-03T00:13:49.926Z (5 months ago)
• Language: Go
• Homepage:
• Size: 16.6 KB
• Stars: 12
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-software-supply-chain-security - testifysec/go-ima: go-ima is a tool that checks if a file has been tampered with. It is useful in ensuring integrity in CI systems

README

        
# go-ima

![goima](https://user-images.githubusercontent.com/6634325/135240204-9f9512fc-07b1-4e31-ac18-f6c5fbfb7d0c.png)

Tool that checks the ima-log to see if a file has been tampered with.

## How to use

1. Set the IMA policy to `tcb` by configuring GRUB  `GRUB_CMDLINE_LINUX="ima_policy=tcb ima_hash=sha256 ima=on"`

2. Compile

3. Grant permissions to read `/sys/kernel/security/integrity/ima/ascii_runtime_measurements`

4. Run

```

./go-ima {file to check}

```

You will get an exit status of `0` if the file has not been modified since inception or boot.  If you get an Exit status of `1` it means the IMA log contains at least one hash that does not match what is on disk.  This could either be the sign of an attack, or somebody just editing files on your build server.

## Limitations

- Support for verifying against PCR register

- Support for different hash schemes