The example is really too colloquial/verbose. ÂPlease truncate it,
leaving just a sample "key" policy rule, with directions for verifying
the template data against the digest included in the measurement list.
The following command verifies if the SHA256 hash generated from
the payload in the IMA log entry (listed above) for the .ima key
matches the SHA256 hash in the IMA log entry. The output of this
command should match the SHA256 hash given in the IMA log entry
(In this case, it should be
27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b)
Previously you didn't use the hash value, but ".ima" to locate the
"key" measurement in the measurement list. ÂIn each of the commands
above, it might be clearer.
# cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
| grep
27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b |
cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' '
-f 1
The above command also creates a binary file namely ima-cert.der
using the payload in the IMA log entry. This file should be a valid
x509 certificate which can be verified using openssl as given below:
root@nramas:/home/nramas
ditto
# openssl x509 -in ima-cert.der -inform DER -text
The above command should display the contents of the file ima-cert.der
as an x509 certificate.
Either the comments should be above or below the commands, not both.
The IMA policy used here allows measurement of keys added to
".ima" and ".evm" keyrings only. Add a key to any other keyring and
verify that the key is not measured.
This comment would be included, if desired, when defining the policy
rule, not here.