Re: [Linux-ima-user] Query regarding three entries of 'init' and and two of rc.sysinit measurement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2014-01-15 at 19:42 +0530, Rishi Gandhi wrote: 
> I have used initial patches of IMA to make it available in linux kernel
> 2.6.18.
> And in kernel code i changed it to print full path of bprm filename and the
> measurement value is as below :

> 10 37dd365996374e967a6568854166722750e368e0 ima* 9eb30c85c49cc1a4fa85976c707769c65d473800 /init*
> 10 2f6264d10a16e4bf553d5754bb53c29226d5de24 ima* eaaf413b06cd215b1b1f85c9ccb3d31c23fefa88 /init*
>10 fd218befcddfa26dcadcb9b6e5a1efc1d69f1293 ima* 74772a232661bb3ecb37d403416c848bcc170949 /sbin/init*

Understanding the source of the measurements has been a problem.  The
measurements are a fixed format, containing a sha1 hash of the file and
the filename.  Linux-3.13, when released, will have support for a new,
more flexible template architecture, which will allow additional file
metadata to be included.

linux-3.7 added the option of audit logging the measurements with
additional file metadata.  Instead of backporting all of it, you might
try just calling ima_audit_measurement() directly for each measurement.

thanks,

Mimi

Re: [Linux-ima-user] Query regarding three entries of 'init' and and two of rc.sysinit measurement

Re: [Linux-ima-user] Query regarding three entries of 'init' and and two of rc.sysinit measurement list