Re: [Linux-ima-user] SML contains numbers in the filename-hint

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, 2011-04-08 at 11:27 +0800, Sohail Khan wrote:
> Hi,
> 
> The measurement list shows numbers in the filename-hint. Some
> measurements are given below. Can anyone specify what are these
> numbers and what should I do if I don't want to measure whatever the
> numbers represent?
> 
> I've comment out the BPRM_CHECK & the FILE_CHECK but again getting
> these numbers. The Kernel version is 2.6.30.
> 
> ---------------------------------------------------------
> 10 1508a15636cdbce65789204533e16308d7318b9f ima
> 10b3c3c4461920e3823e0190168f5a6134c78acc libswt-gnome-gtk-3659.so
> 10 d8283931375705ce28a09e2e300b033c2de46eae ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6450
> 10 a51b159cce6296eddcc40c5046f513829a87de96 ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6468
> 10 cdc372dce5550ce20dceffd46c809e0b5ac612b5 ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6485
> 10 fdc01dac5eaedf77599667109078e2409bc9670e ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6502
> 10 bf2bb4bb74175a793cda379617371fc8a6b6adca ima
> ceb7eb4c7d34ebcbaa0837e70bf6b7d5603ecc5a firefox
> 10 23088bdc778e63ac862c9d218f246941bd84d0e5 ima
> ad918da9521707e09f2188696e8412e420ad974a libsqlite3.so
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> Thanks.

Identifying records in the measurement list is a known issue, which will
be addressed by 'templates'.  Two new templates are being defined,
ima-ng and ima-nglong, containing additional 'hint' information.  For
more details on templates, refer to
http://sourceforge.net/mailarchive/message.php?msg_id=25460938. 

Controlling which files to measure, or not, is specified in the IMA
measurement policy.  Refer to Documentation/ABI/testing/ima_policy of
the specific kernel. (Changes are backwards compatible, but not forward
compatible. FILE_CHECK, for example, was previously called PATH_CHECK.)

As IMA was first enabled in 2.6.30 and has gone through numerous changes
since, how about upgrading to something a bit newer?

thanks,

Mimi