Menu
▾
▴
Re: [Linux-ima-user] syslog and ima measurements
|
From: Mimi Z. <zo...@li...> - 2012-02-13 03:38:33
|
On Sun, 2012-02-12 at 16:52 -0800, Peter Moody wrote: > On Sun, Feb 12, 2012 at 4:42 PM, Mimi Zohar <zo...@li...> wrote: > > On Sun, 2012-02-12 at 10:40 -0800, Peter Moody wrote: > >> On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote: > >> > On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote: > >> >> I'm probably missing something obvious, but I'm interested in getting > >> >> the contents of /sys/kernel/security/ima/ascii_runtime_measurements > >> >> into syslog. Is there an easy way to do this or do I have to write > >> >> something to do it manually? > >> > > >> > The measurements are currently only added to the measurement list. With > >> > IMA-appraisal, invalid measurements are audited. > >> > >> Is auditing the measurements something that you would consider > >> worthwhile or if I want to do this should I find some syslog-y way of > >> tailing the measurements file and sending them to syslog myself? > > > > The IMA measurement list is meant for remote attestation and would be > > included in the TPM quote. Could you please explain why you'd want > > these measurements written to syslog? > > I'd like to see the measurements on my central log-catcher(s). I kind of got that, but I'm asking why would you want all these measurements cluttering syslog? You do realize the default policy measures all executable files, all files mmaped executable and all files opened by root? If you're only interested in recording the existing measurements at a specific point in time, then redirect the output. If by "getting the contents of /sys/kernel/security/ima/ascii_runtime_measurements into syslog", you mean logging the measurements to syslog as they're added to the measurement list, then you'll have to modify ima_store_template(). Mimi |
