Is there some OSS toolchain for disallowing execution of all unsigned binaries on linux?

Question

Say I'm running a server with Ubuntu and an application stack and I want to lock down potential malicious access.

Is there some OSS toolchain for disallowing execution of all unsigned binaries on linux? I'm imagining some toolchain that allows me to sign every binary on the system at some point and then disallow execution of anything that isn't signed from then on.
Would there be any benefit to such a system? If standard interpreters like bash and python are present and signed they could allow an attacker with userspace access to read all my data, launch a reverse shell etc.

score 0 · Accepted Answer · answered Mar 04 '21 at 23:33

Integrity Measurement Architecture gives you that. See https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture#Using_digital_signatures_for_immutable_files

It is mostly useless if you keep a powerful interpreter on the system, but a shell wouldn't necessarily qualify (no direct syscalls for example). So it can be a very good tool to exploit proof a locked down system.

Is there some OSS toolchain for disallowing execution of all unsigned binaries on linux?

1 Answers1