Menu
▾
▴
Re: [Linux-ima-user] Boot options to log the hash of every executable?
|
From: Mimi Z. <zo...@li...> - 2015-07-27 19:28:21
|
On Mon, 2015-07-27 at 11:54 -0700, Ben Scarlato wrote: > Hello, > > Is there a way to get IMA to log the hash of every file executed without > using a custom policy? > > I'd like to log the hash of every file executed on a system, and produce > audit log messages such as: > > *type=INTEGRITY_RULE msg=audit(1437966844.301:162811): file="/usr/bin/less" > hash="sha1:c0ddf750a49a96e69173c772747ffd4467fa5d89" ….* > > > I know you can set this up using a custom policy with rules along the lines > of “*audit func=BPRM_CHECK **mask=MAY_EXEC*”, but I'm exploring using IMA > on a read-only filesystem. For instance, in CoreOS <https://coreos.com/> > most of the filesystem is read-only and I haven't been able to successfully > load a custom policy. > > I'm wondering if there's any options that can be used with either the > ima_tcb or ima_appraise_tcb policies to log hashes. I've tried a few > different setups, and while I can trigger audit messages on file execution, > I just see INTEGRITY_DATA messages without a hash and a field saying > *cause=“missing-hash”*. > > Can boot command line options or kernel configuration produce > INTEGRITY_RULE hashes without requiring a custom policy? The "audit" rule is not in either of the builtin policies. The ima_tcb policy measures all executables, files mmapped, and files read by root. These measurements are stored in memory and can be displayed by cat'ing <security>/ima/ascii_runtime_measurements. Mimi |
