[PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns
Stefan Berger
stefanb at linux.ibm.com
Wed Feb 2 21:27:50 UTC 2022
On 2/2/22 13:18, Stefan Berger wrote:
>
> On 2/2/22 11:04, Mimi Zohar wrote:
>> Stefan, we need to differentiate between the different types of audit
>> records being produced by IMA. Some of these are informational, like
>> the policy rules being loaded or "Time of Measure, Time of Use"
>> (ToMToU) records. When we discuss IMA-audit we're referring to the
>> file hashes being added in the audit log. These are the result of the
>> IMA "audit" policy rules.
>>
>> How much of these informational messages should be audited in IMA
>> namespaces still needs to be discussed. For now, feel free to limit
>> the audit messages to just the file hashes.
> I doubt we should let a user produce informational audit messages or
> audit messages related to file hashes... it's unfortunate, but it
> opens a door for abuse.
After some offline discussion with Mimi, the solution may be to gate
setting IMA audit policy rules with CAP_SYS_ADMIN.
Stefan
More information about the Linux-security-module-archive
mailing list