Re: [PATCH v2] integrity: track mtime in addition to i_version for assessment

From: Mimi Zohar
Date: Wed Jul 12 2017 - 13:57:11 EST

On Wed, 2017-07-12 at 10:35 -0400, Bruce Fields wrote:
> On Wed, Jul 12, 2017 at 08:20:21AM -0400, Mimi Zohar wrote:
> > Right, currently the only way of knowing is by looking at the IMA
> > measurement list to see if modified files are re-measured or, as you
> > said, by looking at the code.
> Who's actually using this, and do they do any kind of checks, or
> document the filesystem-specific limitations?

Knowing who is using it and how it is being used is the big question.
ÂI only hear about it when there are problems.

Over the years, there have been a number of Linux Security Summit
(LSS) talks, which have been mostly about embedded systems or locked
down systems, not so much for generic systems.

Examples include:

- Design and Implementation of a Security Architecture for Critical
Infrastructure Industrial Control Systems - David Safford, GE 2016

- IMA/EVM: Real Applications for Embedded Networking Systems - Petko
Manolov, Konsulko Group, and Mark Baushke, Juniper Networks 2015

-ÂCC3: An Identity Attested Linux Security Supervisor Architecture
Â-ÂGreg Wettstein, IDfusion 2015

- The Linux Integrity Subsystem and TPM-based Network Endpoint
Assessment -ÂAndreas Steffen, HSR University of Applied Sciences
Rapperswil, Switzerland 2012