On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote: > Hi Mimi, > > On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > > Missing INTEGRITY_RULE > > > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. > > For those of us not really up on IMA and just want to generate the event to > add to our collection, any tips on doing this?
Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA policy* containing an audit rule (eg. audit func=BPRM_CHECK mask=MAY_EXEC). *Directions below for loading a policy. > > > Missing INTEGRITY_DATA > > > > Failure to collect or appraise file data. > > (Requires the filesystem to be labeled w/security.ima and integrity > > appraisal enabled.) > > How would I cause this event to be generated if I wanted to see it? Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and loading an IMA policy containing a measurement/appraisal rule (eg. measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0, audit func=BPRM_CHECK mask=MAY_EXEC). Both the boot command line options 'ima_tcb' and 'ima_appraise_tcb' have these rules. Unlabeled filesystems would require the additional boot command line option 'ima_appraise=fix'. > > > Missing INTEGRITY_HASH > > > > Not used. > > OK, I'll mark that deprecated. > > > > Missing INTEGRITY_METADATA > > > > Before updating/removing 'security.evm' the xattr or modifying file > > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > > i_mode, FSUUID, i_generation), EVM verifies the existing value. > > (Requires the filesystem to be labeled w/security.evm and integrity > > appraisal enabled.) > > How to get it? In addition to the IMA/IMA-appraisal config options, requires CONFIG_EVM=y. Assuming you've created an EVM key and loaded it, EVM is enabled. (dracut has an EVM module.) Unlabeled filesystems would require the additional boot command line option 'ima_evm=fix'. > > > Missing INTEGRITY_STATUS > > > > Errors related to the IMA policy. > > How to get it? Directions for loading a policy: to load a policy or replace the boot command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy to /sys/kernel/security/ima/config. The IMA LTP testsuite has examples. Mimi -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit