Re: [Linux-ima-user] IMA Configuration

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Marlon Chalegre <mc...@ce...> writes:

> I have some questions about how to configure the IMA and I'm wondering if
> you could help me understand some things.
> 
> 1 - Could I configure the IMA to measure/appraise only specific folder
> and/or file?

Yes, but this will require labeling the file or directory using LSM
labels (with either SMACK or SE Linux extensions) and then writing an
IMA Policy that uses the label to control the measure/dont_measure and
appraise rules.

The LSM system must be enabled before IMA if you are going to use it in
this manner.

> 2 - Is there any example or documentation about how to use different rules
> like uid, fowner, uuid, LSM labels, etc to limit which files and folders
> must be measured?

There is some text on the subject on the linux-ima wiki:

https://sourceforge.net/p/linux-ima/wiki/Home/#defining-an-lsm-specific-policy

which mentions adding LSM specific rules.

> In a previous contact with Zohar, she said to me that the question number
> one is not implemented. Is this a good improvement to be developed?

I do not know when that was, but it is implemented now. The use of SMACK
vs SE Linux with IMA is largely going to depend on the security
considerations for your particular installation.

You do have the flexibility to do what you want now.

	-- Mark