Repository of audit events
Steve Grubb
sgrubb at redhat.com
Fri Apr 11 14:07:20 UTC 2014
Hi Mimi,
On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > Missing INTEGRITY_RULE
> >
> > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
For those of us not really up on IMA and just want to generate the event to
add to our collection, any tips on doing this?
> > Missing INTEGRITY_DATA
>
> Failure to collect or appraise file data.
> (Requires the filesystem to be labeled w/security.ima and integrity
> appraisal enabled.)
How would I cause this event to be generated if I wanted to see it?
> > Missing INTEGRITY_HASH
>
> Not used.
OK, I'll mark that deprecated.
> > Missing INTEGRITY_METADATA
>
> Before updating/removing 'security.evm' the xattr or modifying file
> metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> i_mode, FSUUID, i_generation), EVM verifies the existing value.
> (Requires the filesystem to be labeled w/security.evm and integrity
> appraisal enabled.)
How to get it?
> > Missing INTEGRITY_STATUS
>
> Errors related to the IMA policy.
How to get it?
Thanks,
-Steve
More information about the Linux-audit
mailing list