On Fri, 2017-07-28 at 14:19 +0000, Magalhaes, Guilherme (Brazil R&D- CL) wrote: > > > Each measurement entry in the list could have new fields to identify > > > the namespace. Since the namespaces can be reused, a timestamp or > > > others fields could be added to uniquely identify the namespace id. > > > > The more fields included in the measurement list, the more > > measurements will be added to the measurement list. Wouldn't it be > > enough to know that a certain file has been accessed/executed on the > > system and base any analytics/forensics on the IMA-audit data. > > With the recursive application of policy through the namespace hierarchy, > a measurement added to the parent namespace could be misleading since > the file pathname makes sense in the current namespace but possibly not > for the parent namespace. Fair enough. > This is the reason why I believe some new field > might be needed in the IMA template format to indicate or uniquely > identify the namespace. I would probably include information to uniquely identify the file (eg. UUID, mountpoint), not the namespace. Mimi _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers