Menu
▾
▴
Re: [Linux-ima-user] Measurement list and path of measured files
|
From: Kasatkin, D. <dmi...@in...> - 2012-06-15 10:25:41
|
actually here is a diff http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blobdiff;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hp=21e96bf188dfcc12ff3b05226f3c7d83521dbc2b;hb=da64aee677a578a2ac66f641737fdc74e9259418;hpb=8e88fb141c9596e5efc1b72168c51484875ac5c2 On Fri, Jun 15, 2012 at 1:23 PM, Kasatkin, Dmitry <dmi...@in...> wrote: > Hello, > > Actually in my tree there is a patch to show full path. > It does reverse path walk. > > http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blob;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hb=da64aee677a578a2ac66f641737fdc74e9259418 > > - Dmitry > > > On Fri, Jun 15, 2012 at 11:17 AM, Jordi Cucurull Juan > <jor...@sc...> wrote: >> Hi Mimi and Andrew, >> >> Mimi, what was the reason to forbid the use of d_path()? Maybe too much >> system information on the list? Is it a kernel developers' decision? >> >> Andrew, the approach you follow is fine, but still does not allow to >> know if a file with non matching hash and matching filename is a newly >> created file or a modified one. In order to check it you should manually >> search for all the files with the given filename and calculate their hash. >> >> Thanks for your answers! >> Jordi. >> >> >> On 06/15/2012 08:41 AM, Lunn Andrew RUAG D wrote: >>> From: Jordi Cucurull Juan [jor...@sc...] >>> Sent: 13 June 2012 14:32 >>> To: lin...@li... >>> Subject: [Linux-ima-user] Measurement list and path of measured files >>> >>> Dear all, >>> >>> Recently I have started looking at IMA to explore the possibilities that >>> it offers. I have a question regarding the measurement list and the >>> files measured. >>> >>> The point is that it does not seem possible to uniquely identify a file >>> with the information in the field "file-hint". The absolute path of the >>> file is not always available, hence in many cases several entries with >>> the same file name will appear. This makes impossible to distinguish if >>> two entries with the same file-hint value correspond to two different >>> files in the file system or to a file that has been modified. >>> >>> Is it possible to include the file name with the complete absolute path >>> in the measurement list? If not, is there a reason for it? (maybe memory >>> used by the list?) >>> >>> Thanks and best regards, >>> Jordi. >>> _______________________________________________ >>> >>> >>> Hi Jordi >>> >>> It is a bit annoying not having the path. So i process the IMA list the other >>> way around. I find matches on the hash in my known good database. For >>> hash matches i then check if there is a tail match between the filename hint in the >>> IMA and the corresponding entry in the known good database. >>> >>> Andrew >> >> >> -- >> Jordi Cucurull Juan >> Researcher >> Scytl Secure Electronic Voting >> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona >> jor...@sc... >> http://www.scytl.com >> >> NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer. >> >> Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data. >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Linux-ima-user mailing list >> Lin...@li... >> https://lists.sourceforge.net/lists/listinfo/linux-ima-user |