Re: [Linux-ima-user] Newbie question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2014-02-21 at 10:12 -0500, Olga Chen wrote: 
> Hello everyone.
> I apologize in advance for a newbie question.
> 
> I have a RHEL 6 machine, and I am currently looking to replace tripwire
> with IMA, so I have some questions.

> My goal is to have local integrity verification (and notification of
> failure to verify) for a certain number of files plus anything that is part
> of the default IMA policy is OK too.

So, the first thing you'll need to do is define a policy.  Both
measuring and appraising files are policy based.  The new wiki
ima-policy-examples section contains a few basic policies.

[Side note: anyone using IMA/IMA-appraisal, please consider posting the
policy here for others.]

> I am not interested in remote attestation.

Ok

> I've been reading the Linux-IMA wiki, and it looks like I would need to
> have IMA, IMA-Appraisal, and IMA-EVM enabled to achieve this. The last two
> will require me to recompile the kernel.

> Does this sound right to everyone? I am enabling the right things?
> I would really appreciate any feedback/suggestions.

To enforce local file integrity requires enabling just IMA-appraisal
and, probably, EVM.

Mimi