Re: [Linux-ima-user] question about IMA-Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2014-12-30 at 17:50 +0800, jiangdahui wrote: 
> hi all:

> how to verify IMA-Appraisal's effect?change a executable file?but I find
> it can still run normally? or observe the "security.evm" attr? how?

IMA-appraisal enforces local file integrity based on policy (eg.
ima_appraise_tcb).  The "good" integrity values are stored as extended
attributes (xattr), which are compared with the runtime values.  Before
enabling IMA-appraisal, the file system must be labeled.

Refer to the linux-ima wiki for more details.

Mimi