Menu
▾
▴
Re: [Linux-ima-user] Measurement list and path of measured files
|
From: Lunn A. R. D <And...@ru...> - 2012-06-15 06:54:08
|
From: Jordi Cucurull Juan [jor...@sc...]
Sent: 13 June 2012 14:32
To: lin...@li...
Subject: [Linux-ima-user] Measurement list and path of measured files
Dear all,
Recently I have started looking at IMA to explore the possibilities that
it offers. I have a question regarding the measurement list and the
files measured.
The point is that it does not seem possible to uniquely identify a file
with the information in the field "file-hint". The absolute path of the
file is not always available, hence in many cases several entries with
the same file name will appear. This makes impossible to distinguish if
two entries with the same file-hint value correspond to two different
files in the file system or to a file that has been modified.
Is it possible to include the file name with the complete absolute path
in the measurement list? If not, is there a reason for it? (maybe memory
used by the list?)
Thanks and best regards,
Jordi.
_______________________________________________
Hi Jordi
It is a bit annoying not having the path. So i process the IMA list the other
way around. I find matches on the hash in my known good database. For
hash matches i then check if there is a tail match between the filename hint in the
IMA and the corresponding entry in the known good database.
Andrew
|