Menu
▾
▴
Re: [Linux-ima-user] syslog and ima measurements
|
From: Peter M. <pm...@go...> - 2012-02-13 05:22:18
|
On Sun, Feb 12, 2012 at 7:34 PM, Mimi Zohar <zo...@li...> wrote: > On Sun, 2012-02-12 at 16:52 -0800, Peter Moody wrote: >> On Sun, Feb 12, 2012 at 4:42 PM, Mimi Zohar <zo...@li...> wrote: >> > On Sun, 2012-02-12 at 10:40 -0800, Peter Moody wrote: >> >> On Sat, Feb 11, 2012 at 4:05 PM, Mimi Zohar <zo...@li...> wrote: >> >> > On Fri, 2012-02-10 at 10:02 -0800, Peter Moody wrote: >> >> >> I'm probably missing something obvious, but I'm interested in getting >> >> >> the contents of /sys/kernel/security/ima/ascii_runtime_measurements >> >> >> into syslog. Is there an easy way to do this or do I have to write >> >> >> something to do it manually? >> >> > >> >> > The measurements are currently only added to the measurement list. With >> >> > IMA-appraisal, invalid measurements are audited. >> >> >> >> Is auditing the measurements something that you would consider >> >> worthwhile or if I want to do this should I find some syslog-y way of >> >> tailing the measurements file and sending them to syslog myself? >> > >> > The IMA measurement list is meant for remote attestation and would be >> > included in the TPM quote. Could you please explain why you'd want >> > these measurements written to syslog? >> >> I'd like to see the measurements on my central log-catcher(s). > > I kind of got that, but I'm asking why would you want all these > measurements cluttering syslog? You do realize the default policy > measures all executable files, all files mmaped executable and all files > opened by root? > > If you're only interested in recording the existing measurements at a > specific point in time, then redirect the output. If by "getting the > contents of /sys/kernel/security/ima/ascii_runtime_measurements into > syslog", you mean logging the measurements to syslog as they're added to > the measurement list, then you'll have to modify ima_store_template(). Thanks! Cheers, peter > Mimi > -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 |
