My question here is related to preventing an off-line attack where one simply removes the policy file. I have successfully installed and enabled appraisal sufficiently for experimenting with IMA. In my environment, I am allowing the policy file to be automatically loaded through systemd by placing the policy file at /etc/ima/ima-policy. This is good, but what happens if one simply removes the policy file through an off-line attack? Since the policy file would not exist, measurement and appraisal would simply never be enabled. Are there other ways of baking the policy into the system or protecting against this exposure. Thanks Ken
