We are trying to understand why some file measurements are skipped by IMA. In some circumstances, it seems that this could lead to an incorrect assessment of the integrity of the host. Consider the following, example in which we begin with a vulnerable bash binary (e.g. Shellshock) and patch it. 1. Load vulnerable bash (measured by IMA) 2. Patch the bash file 3. Load good bash (measured by IMA) 4. Change back to vulnerable bash 5. Load vulnerable bash (not measured by IMA) After step 5, the IMA logs appear to tell you that the system is using a good binary, but a vulnerable binary is installed and being used. We identified that 'ima_htable.queue' prevented the measurement at step 5 since the same vulnerable bash was loaded on step 1 and 5 and then its respective hash was already present in 'ima_htable.queue'. So in this scenario the last/current file state is not identified using the IMA log. Is it not important to identify through the IMA log whether or not the last known file state is good? Does anybody know why 'ima_htable.queue' is preventing already logged file hashes from being re-measured? -- Guilherme
