Repository of audit events

Mimi Zohar zohar at linux.vnet.ibm.com
Fri Apr 11 15:26:27 UTC 2014 

On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote: 
> Hi Mimi,
> 
> On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote:
> > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote:
> > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote:
> > > > Missing INTEGRITY_RULE
> > > 
> > > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
> 
> For those of us not really up on IMA and just want to generate the event to 
> add to our collection, any tips on doing this?

Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA
policy* containing an audit rule (eg. audit func=BPRM_CHECK
mask=MAY_EXEC).

*Directions below for loading a policy.

> > > Missing INTEGRITY_DATA
> > 
> > Failure to collect or appraise file data.
> > (Requires the filesystem to be labeled w/security.ima and integrity
> > appraisal enabled.)
> 
> How would I cause this event to be generated if I wanted to see it?

Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and
loading an IMA policy containing a measurement/appraisal rule (eg.
measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0,
audit func=BPRM_CHECK mask=MAY_EXEC).  Both the boot command line
options 'ima_tcb' and 'ima_appraise_tcb' have these rules.  Unlabeled
filesystems would require the additional boot command line option
'ima_appraise=fix'.

> > > Missing INTEGRITY_HASH
> > 
> > Not used.
> 
> OK, I'll mark that deprecated.
> 
> > > Missing INTEGRITY_METADATA
> > 
> > Before updating/removing 'security.evm' the xattr or modifying file
> > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid,
> > i_mode, FSUUID, i_generation), EVM verifies the existing value.
> > (Requires the filesystem to be labeled w/security.evm and integrity
> > appraisal enabled.)
> 
> How to get it?

In addition to the IMA/IMA-appraisal config options, requires
CONFIG_EVM=y.  Assuming you've created an EVM key and loaded it, EVM is
enabled.  (dracut has an EVM module.)  Unlabeled filesystems would
require the additional boot command line option 'ima_evm=fix'.

> > > Missing INTEGRITY_STATUS
> > 
> > Errors related to the IMA policy.
> 
> How to get it?

Directions for loading a policy: to load a policy or replace the boot
command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy
to /sys/kernel/security/ima/config.  The IMA LTP testsuite has examples.

Mimi

More information about the Linux-audit mailing list