Перекачивать хеш-шаблон ima-of ⇐ Linux

[Гость]

Я пытаюсь пересмотреть хеш-шаблон (ima-ng) в моем журнале событий IMA, но, похоже, я что-то упускаю. Я пробовал весь день, но на самом деле я не вижу, где я ошибаюсь, я бы очень использовал помощь здесь. Шаблон хэш агрегата загрузки) без повезло. < /p>
azureuser@tdx24:~$ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements
10 1ddcc863e454c492100cbcc76c62204b8db350c4 ima-ng sha256:4f9ffcc1525d34d6d029cfea50dfd7e830ad66f6e2d7d3e8a3209921721a0cd3 boot_aggregate
10 65a3a4458c5368168e6625e1ce7bde75c888d450 ima-ng sha256:bd23bde4dff524631fb25d73bb3df9d57a551303b9b4a2e990a6407ec74612b0 /usr/lib/modules/6.8.0-1020-azure/kernel/fs/autofs/autofs4.ko.zst
< /code>
import hashlib
import struct
import re

def compute_template_hash(file_hash_hex, file_path):
# Construct d-ng
hash_alg = b"sha256:\x00" # Fixed: Use bytes directly
file_hash = bytes.fromhex(file_hash_hex)
hash_length = len(hash_alg) + len(file_hash)
d_ng = struct.pack(">I", hash_length) + hash_alg + file_hash

# Debug d-ng (hex and bytes)
print(f"d-ng (hex): {d_ng.hex()}")
print(f"d-ng (bytes): {d_ng}")

# Construct n-ng
file_name_bytes = file_path.encode("utf-8") + b"\x00" # Ensure null terminator is added
file_name_length = len(file_name_bytes)

# Debug file name
print(f"File path (encoded): {file_name_bytes}")
print(f"File path length (including null terminator): {file_name_length}")

n_ng = struct.pack(">I", file_name_length) + file_name_bytes

# Debug n-ng (hex and bytes)
print(f"n-ng (hex): {n_ng.hex()}")
print(f"n-ng (bytes): {n_ng}")

# Combine d-ng and n-ng
combined = d_ng + n_ng

# Debug combined structure
print(f"Combined (hex): {combined.hex()}")
print(f"Combined (bytes): {combined}")

# Compute SHA1
computed_hash = hashlib.sha1(combined).hexdigest()
return computed_hash

# Example log entry
log_entry = "10 65a3a4458c5368168e6625e1ce7bde75c888d450 ima-ng sha256:bd23bde4dff524631fb25d73bb3df9d57a551303b9b4a2e990a6407ec74612b0 /usr/lib/modules/6.8.0-1020-azure/kernel/fs/autofs/autofs4.ko.zst"

# Parse log entry
match = re.match(r"10\s+([a-f0-9]+)\s+ima-ng\s+(\w+):([a-f0-9]+)\s+(.+)$", log_entry)
if match:
template_hash_expected = match.group(1)
file_hash_hex = match.group(3)
file_path = match.group(4)

# Verify path length
print(f"File path length: {len(file_path)} characters")

# Compute template hash
computed_hash = compute_template_hash(file_hash_hex, file_path)
print(f"Expected: {template_hash_expected}")
print(f"Computed: {computed_hash}")
else:
print("Log entry format invalid")

< /code>
File path length: 65 characters
d-ng (hex): 000000287368613235363a00bd23bde4dff524631fb25d73bb3df9d57a551303b9b4a2e990a6407ec74612b0
d-ng (bytes): b'\x00\x00\x00(sha256:\x00\xbd#\xbd\xe4\xdf\xf5$c\x1f\xb2]s\xbb=\xf9\xd5zU\x13\x03\xb9\xb4\xa2\xe9\x90\xa6@~\xc7F\x12\xb0'
File path (encoded): b'/usr/lib/modules/6.8.0-1020-azure/kernel/fs/autofs/autofs4.ko.zst\x00'
File path length (including null terminator): 66
n-ng (hex): 000000422f7573722f6c69622f6d6f64756c65732f362e382e302d313032302d617a7572652f6b65726e656c2f66732f6175746f66732f6175746f6673342e6b6f2e7a737400
n-ng (bytes): b'\x00\x00\x00B/usr/lib/modules/6.8.0-1020-azure/kernel/fs/autofs/autofs4.ko.zst\x00'
Combined (hex): 000000287368613235363a00bd23bde4dff524631fb25d73bb3df9d57a551303b9b4a2e990a6407ec74612b0000000422f7573722f6c69622f6d6f64756c65732f362e382e302d313032302d617a7572652f6b65726e656c2f66732f6175746f66732f6175746f6673342e6b6f2e7a737400
Combined (bytes): b'\x00\x00\x00(sha256:\x00\xbd#\xbd\xe4\xdf\xf5$c\x1f\xb2]s\xbb=\xf9\xd5zU\x13\x03\xb9\xb4\xa2\xe9\x90\xa6@~\xc7F\x12\xb0\x00\x00\x00B/usr/lib/modules/6.8.0-1020-azure/kernel/fs/autofs/autofs4.ko.zst\x00'
Expected: 65a3a4458c5368168e6625e1ce7bde75c888d450
Computed: 1ddae0b6c9e5a88aff55c9fab2b8f18ad0d58728

** Process exited - Return Code: 0 **
Press Enter to exit terminal


Подробнее здесь: https://stackoverflow.com/questions/794 ... plate-hash