Menu
▾
▴
Re: [Linux-ima-user] looking for suggestions on rule use
|
From: Curtis V. <cr...@so...> - 2015-06-10 15:29:32
|
On Wed, Jun 10, 2015 at 09:22:30AM -0400, Mimi Zohar wrote: > On Tue, 2015-06-09 at 18:59 -0600, Curtis Veit wrote: > > I am also noticing that when using appraise rules looking for a hash > > that I can get errors when I update a file and then update the hash. > > Is there an approach for solving that? (Hopefully without either > > dropping appraise and only measuring or without rewriting various > > system utils to be IMA aware.) > > As long as the file is in policy, an updated hash should automatically > be written out on file close. When security.ima is a signature, > neither the file or the file signature can be modified. I've just > upstreamed a patch by Dmitry Kasitkin to also prevent userspace from > modifying the security.ima hash value. > > c68ed80 ima: limit file hash setting by user to fix and log modes Thanks for the reference, looks like I need to rethink a few things. > Sounds like I need to check my rules and try this out again. Just one question about the auto-update of the hash on file close... I am running 3.18 kernel. Is the auto update behaviour present in that version? If not, when did it appear? Curtis |
