[Linux-ima-user] Boot options to log the hash of every executable?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

Is there a way to get IMA to log the hash of every file executed without
using a custom policy?

I'd like to log the hash of every file executed on a system, and produce
audit log messages such as:

*type=INTEGRITY_RULE msg=audit(1437966844.301:162811): file="/usr/bin/less"
hash="sha1:c0ddf750a49a96e69173c772747ffd4467fa5d89" ….*

I know you can set this up using a custom policy with rules along the lines
of  “*audit func=BPRM_CHECK **mask=MAY_EXEC*”, but I'm exploring using IMA
on a read-only filesystem. For instance, in CoreOS <https://coreos.com/>
most of the filesystem is read-only and I haven't been able to successfully
load a custom policy.

I'm wondering if there's any options that can be used with either the
ima_tcb or ima_appraise_tcb policies to log hashes. I've tried a few
different setups, and while I can trigger audit messages on file execution,
I just see INTEGRITY_DATA messages without a hash and a field saying
*cause=“missing-hash”*.

Can boot command line options or kernel configuration produce
INTEGRITY_RULE hashes without requiring a custom policy?

Thanks!