I have two questions.
~~
I'm writing an informal specification for the IMA event log.
I'd like to include a chart noting which kernel version first supported
various options. I.e. the IMA templates (ima, ima-ng, ima-sig), and the
ima_template_format directive and its various values.
Does anyone have any contribution?
In return, I'll send the document to anyone who asks.
~~
I'm writing a library of useful IMA event log parsing functions.
Are all format combinations legal? It's not enough to look at today's
code, because the code can change.
For example, ima_template_format="sig" doesn't make sense, because
it's a signature over a missing file data hash, but it's accepted.
The log it creates is odd, though, with just two entries.
