Re: [Linux-ima-user] Single file measurement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thank you,
I enabled i_version on all mounted filesystems, nevertheless when changing
measured files, these changes do not seem to be detected!?
  - Open the file once -> it's added to the measurement list
  - Open the file again and make some changes, but the same measurement is
still there
Shouldn't this be recognized now by IMA since i_version is enabled?


On 28 November 2016 at 23:44, Mimi Zohar <zo...@li...> wrote:

> On Mon, 2016-11-28 at 21:29 +0100, Svart Kanin wrote:
> > Hi,
> > thanks for the reply.
> > > After accessing testfile.txt, does it appear in the measurement list
> > > this point?
> >
> > Yes after I access the file, it is listed in the measurement list
> > ascii_runtime_measurements,
> > but shouldn't it be already measured on reboot then as well even though
> the
> > file has not been accessed yet?
>
> On a hard boot, the measurement list starts out empty.  Based on policy,
> measurements are added on file open, mmap, or execute.  On a soft reboot
> (eg. kexec), we're working on carrying the measurements across kexec.
>
> > Now not only the testFile.txt which was assigned the 'M' attribute is
> added
> > to the measurement list,
> > but every other file as well that is being accessed!?
>
> What is measured is based on policy.
>
> >
> > > The policy needs to be loaded on reboot.  dracut and systemd have
> > > modules that load the IMA policy, but they're enabled by default.
> >
> > This means that the policies should be loaded automatically already?
>
> Oops,  that should have said that although there are dracut and systemd
> modules for loading the policy,  they still need to be enabled.
> >
> > > No, it doesn't require a reboot, but it does require the file system to
> > > be mounted with i_version.  Otherwise, files that change aren't
> > > re-measured.
> >
> > So if the filesystem is mounted with i_version, and labels are going to
> > assigned,
> > then the file should be measured immediately as soon as the label has
> been
> > assigned,
> > and not when the file is accessed the first time?
>
> No, reading/writing xattrs does not access the file itself.  So the file
> is not measured, even with the file_check rule.
>
> Mimi
>
>