Menu
▾
▴
Re: [Linux-ima-user] measurereq replacement
|
From: Mimi Z. <zo...@li...> - 2010-08-18 22:04:50
|
On Wed, 2010-08-18 at 16:21 +0200, Nicolai Kuntze wrote: > Dear all, > > within an ongoing research project we have the need to measure specific > files like configuration files or disk images. Up to now we are using > the /ima/measurereq file to announce the measurement. > > Do to performance restrictions we are not able to move to the > measurement of all files accessed by a certain user. Unfortunately, I > can not see how to model the measurement of a set of specific files in > the given policy language. > > Is there an example available? > > Best regards, > Nicolai The default measurement policy, which measures everything that could affect the TCB, can be constrained or replaced with one based on LSM labels. For example, with an SELinux targeted policy, you could define a rule like 'measure obj_type=etc_t' to measure configuration files and the equivalent for VMs. Or with Smack, you probably could define a new label that is equivalent to floor '_'. Write 'security.smack' with the new label on those files you're interested in measuring. Of course, you'd also need some mechanism to label new files as they're created. Mimi |