| Message ID | 20250219162131.416719-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ima: limit both open-writers and ToMToU violations | expand |
On Wed, 2025-02-19 at 11:21 -0500, Mimi Zohar wrote: Hi Mimi > Each time a file in policy, that is already opened for write, is opened > for read an open-writers integrity violation audit message is emitted I would put a comma after 'for read' and remove the previous ones. > and a violation record is added to the IMA measurement list, even if an I would stop the sentence before 'even' and start a new sentence. IMA does not track previous violations, and emits a new one of the same kind, even if there was one before, resulting in redundant information being produced. The information might not be redundant though, if process-based credentials are added to the measurement list. In that case, more information about the process causing the violation would be shown. > open-writers violation has already been recorded. > > Similalry each time a file in policy, that is already opened for read, Typo. > is opened for write a Time-of-Measure-Time-of-Use (ToMToU) integrity > violation audit message is emitted and a violation record is added to > the IMA measurement list, even if a ToMToU violation has already been > recorded. > > Minimize the violations in the audit log and the IMA measurement list. I would describe more precisely how you are trying to minimize them. Thanks Roberto > Mimi Zohar (2): > ima: limit the number of open-writers integrity violations > ima: limit the number of ToMToU integrity violations > > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_main.c | 16 ++++++++++++---- > 2 files changed, 13 insertions(+), 4 deletions(-) > > -- > 2.48.1 >