Menu
▾
▴
Re: [Linux-ima-user] measurereq replacement
|
From: Nicolai K. <nic...@si...> - 2010-08-19 13:05:49
|
Mimi Zohar wrote: > On Wed, 2010-08-18 at 16:21 +0200, Nicolai Kuntze wrote: >> Dear all, >> >> within an ongoing research project we have the need to measure specific >> files like configuration files or disk images. Up to now we are using >> the /ima/measurereq file to announce the measurement. >> >> Do to performance restrictions we are not able to move to the >> measurement of all files accessed by a certain user. Unfortunately, I >> can not see how to model the measurement of a set of specific files in >> the given policy language. >> >> Is there an example available? >> >> Best regards, >> Nicolai > > The default measurement policy, which measures everything that could > affect the TCB, can be constrained or replaced with one based on LSM > labels. > > For example, with an SELinux targeted policy, you could define a rule > like 'measure obj_type=etc_t' to measure configuration files and the > equivalent for VMs. > > Or with Smack, you probably could define a new label that is equivalent > to floor '_'. Write 'security.smack' with the new label on those files > you're interested in measuring. Of course, you'd also need some > mechanism to label new files as they're created. > > Mimi > Thank you for your quick answer. Could you provide for a short demonstartion using the IMA policies with LSM policies? It would help us a lot to see good examples to get a better understanding on the policy system. Nicolai |
