On 2/2/22 13:18, Stefan Berger wrote:
On 2/2/22 11:04, Mimi Zohar wrote:
Stefan, we need to differentiate between the different types of audit
records being produced by IMA. Some of these are informational, like
the policy rules being loaded or "Time of Measure, Time of Use"
(ToMToU) records. When we discuss IMA-audit we're referring to the
file hashes being added in the audit log. These are the result of the
IMA "audit" policy rules.
How much of these informational messages should be audited in IMA
namespaces still needs to be discussed. For now, feel free to limit
the audit messages to just the file hashes.
I doubt we should let a user produce informational audit messages or
audit messages related to file hashes... it's unfortunate, but it
opens a door for abuse.
After some offline discussion with Mimi, the solution may be to gate
setting IMA audit policy rules with CAP_SYS_ADMIN.
Stefan