All geek questions in one place

Removing Files Using Linux IMA

I am trying to configure Linux IMA in RHEL using this guide http://linux-ima.sourceforge.net/linux-ima-content.html-20110907 . I would like to configure the system so that sensitive files of my choice are overestimated if the file has changed (I’m stuck in the section on re-measuring files). My /etc/fstab looks like this:

UUID = c8dbe0a9-8c0c-4aba-adff-bcf2dd4640da / ext4, default settings 1 1

UUID = b1762b74-d517-4293-8b49-cdc06b94d78c / boot ext3 default 1 2

UUID = 8c6b8003-7176-4cf4-ae23-a124f8768c36 default values ​​for swap exchange 0 0

When I check the list of measurements, in /sys/kernel/security/ima/ascii_runtime_measurements I see only one entry, as shown below:

10 3f0d6c1e772444096d975aba704a10e4820eabab ima 7b739f0b35c61d68bd664d352b6631c366aee34f boot_aggregate

I do not see any other dimensions, even if I modify some files in / etc / or perform other actions. Any thoughts on what could go wrong?

+6
source share
1 answer

You must provide the core ima policy.

"ima_tcb" is the default policy that can be specified as a command line argument to the kernel ( https://sourceforge.net/p/linux-ima/wiki/Home/#controlling-ima ).

If you need to specify your own policy, you should put it in <securityfs>/ima/policy ( https://sourceforge.net/p/linux-ima/wiki/Home/#defining-an-lsm-specific-policy ) .

+3
source

Source: https://habr.com/ru/post/1012828/

More articles:


All Articles