Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2/2/22 13:18, Stefan Berger wrote:

On 2/2/22 11:04, Mimi Zohar wrote:
Stefan, we need to differentiate between the different types of audit
records being produced by IMA.  Some of these are informational, like
the policy rules being loaded or "Time of Measure, Time of Use"
(ToMToU) records.  When we discuss IMA-audit we're referring to the
file hashes being added in the audit log.  These are the result of the
IMA "audit" policy rules.

How much of these informational messages should be audited in IMA
namespaces still needs to be discussed.  For now, feel free to limit
the audit messages to just the file hashes.
I doubt we should let a user produce informational audit messages or audit messages related to file hashes... it's unfortunate, but it opens a door for abuse.

After some offline discussion with Mimi, the solution may be to gate setting IMA audit policy rules with CAP_SYS_ADMIN.

   Stefan



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux