On Mon, 2019-03-25 at 10:24 -0400, Chuck Lever wrote: > Auditing can be done by keeping the ima_file_check call site but > ignoring its return code, for example. Neither the "measure" or "audit" rules control the return code. Only an IMA "appraise" rule verifies a file's integrity, which could fail, resulting in an error return code. Different systems might have different requirements. Having the IMA hook here, allows IMA custom policies to be defined, based on the specific system requirements. In terms of performance, IMA calculates the file hash once, which can then be used for measuring, appraising, and auditing. Unless the file changes, calculating the file hash is only done once. > In any event, removing the ima_file_check call is not required for > the prototype to be functional. I can drop this patch for now, but > I encourage examination of how the NFS server measures and audits > files when an actual IMA policy is in effect. Thank you! Mimi
