On Wed, 2017-07-12 at 10:35 -0400, Bruce Fields wrote: > On Wed, Jul 12, 2017 at 08:20:21AM -0400, Mimi Zohar wrote: > > Right, currently the only way of knowing is by looking at the IMA > > measurement list to see if modified files are re-measured or, as you > > said, by looking at the code. > > Who's actually using this, and do they do any kind of checks, or > document the filesystem-specific limitations?
Knowing who is using it and how it is being used is the big question. I only hear about it when there are problems. Over the years, there have been a number of Linux Security Summit (LSS) talks, which have been mostly about embedded systems or locked down systems, not so much for generic systems. Examples include: - Design and Implementation of a Security Architecture for Critical Infrastructure Industrial Control Systems - David Safford, GE 2016 - IMA/EVM: Real Applications for Embedded Networking Systems - Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks 2015 - CC3: An Identity Attested Linux Security Supervisor Architecture - Greg Wettstein, IDfusion 2015 - The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment - Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland 2012 Mimi
